This class provides access to the Data Protection API (DPAPI) available in Microsoft Windows 2000 and later operating systems. This is a service that is provided by the operating system and does not require additional libraries. It provides protection using the user or machine credentials to encrypt or decrypt data.

The class consists of two wrappers for the unmanaged DPAPI, ProtectedData.Protect(Byte[], Byte[], DataProtectionScope) and ProtectedData.Unprotect(Byte[], Byte[], DataProtectionScope). These two methods can be used to encrypt and decrypt data such as passwords, keys, and connection strings.

If you use these methods during impersonation, you may receive the following error: "Key not valid for use in specified state." This occurs because the DPAPI stores the key data in user profiles. If the profile is not loaded, DPAPI won’t be able to perform the decryption. To prevent this error, load the profile of the user you want to impersonate before calling either method. Using DPAPI with impersonation can incur significant complication and requires careful design choices.

Namespace: System.Security.Cryptography
Assembly: System.Security (in System.Security.dll)
Assembly Versions: 2.0.0.0, 4.0.0.0
Since: .NET 2.0