[Mono-list] disaster recovery when using data protection keypairs

[Sebastien Pouliot]

Hello Dan,

On Tue, 2009-12-22 at 12:37 -0800, dnapierski wrote:
> I'm interested in using the data protection features in mono 2.4.  When using
> the user key store, I see that an xml key file gets created (e.g.
> [1][99999999-eeee-ffff-aaaa-111111111111][-1].xml).  What are the conditions
> under which such a key file can be used on another machine?  Is it possible?

Possible ? Yes, because you have access to the full source code and you
can build your *own* tools around this (ProtectedData), or any other,
features. 

However take note that your *own* extensions do not become a Mono
supported feature. I.e. for DPAPI (and keypair persistence) Mono does
not provide/support more than what the .NET framework expose. This may
cause problem is you want to depend on what the OS (Windows in this
case) can provide - because Mono is not there to replicate the OS
features.

Specifically this means, for DPAPI, the following:

        <quote>It provides protection using the user or machine
        credentials to protect or unprotect data.</quote> [1]

The above quote is what the .NET framework (and Mono) provides. What
Windows (OS) provides (wrt DPAPI / key stores / ...) is a different, and
much larger, story.

> Let's say that I encrypt some data and store it in an external database, and
> I back-up the XML key file.  Then the machine has a hard drive crash, or is
> stolen.  How can I recover the encrypted data stored in the external
> database?  

You have the key(s), the (encrypted) data and the source code. If you
backed them up correctly then you'll be able to decrypt the data.

> Thanks in advance for any help, including links to documentation.

There is no documentation beside the framework (monodoc or MSDN[1]) and,
of course, the best one: source code :-)

Sebastien

[1]
http://msdn.microsoft.com/en-ca/library/system.security.cryptography.protecteddata.aspx