The Windows DPAPI uses keys from the user and computer to encrypt data.
Encrypt and decrypt strings:
pwd := "password"
encrypted, _ := dpapi.Encrypt(pwd)
decrypted, _ := dpapi.Decrypt(encrypted)
Encrypt and decrypt byte arrays:
secret := []byte("isolateIndoors")
enc, _ := dpapi.EncryptBytes(secret)
dec, _ := dpapi.DecryptBytes(enc)
An encrypted string looks like this:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAAQ5GMbx570mklMuNAyFRhgAAAAACAAAAAAAQZgAAAAEAACAAAACe7tibTHuzIsKVO2adNjiXU9TM9F1eR95Yk0Wk8Kzj7gAAAAAOgAAAAAIAACAAAAA7quouOuNvn7eicqjE9aa75UZN+TAbokD35hTXbE7UOBAAAADEFNscRxOqxxheOIVdtbiQQAAAAC+UCYzQFtF7uRyhjXKnqCii8OHUtmB5LwIgJTx46uLukKGsOp60rGVPGn6ufiYYCRXiCQPAmQEKjsEE1jwqZto=
The package also supports machine specific encryption and encryption using entropy.
There is an application in /cmd/stable that creates a JSON file of encrypted values. The purpose is to create a stable encrypted value and then verify it can still be decrypted after any changes are made.
It creates a file named domain.computer.user.stable.json on the first run. On subsequent runs it tries to decrypt the values in the JSON file. It currently only tests per-user encryption. But this should allow testing of machine encryption and encryption with entropy.
- Data Protection API (wikipedia.org)
- Windows Data Protection (microsoft.com)
- Troubleshooting the DPAPI (microsoft.com)
- CryptProtectData function (microsoft.com)
- Example C Program: Using CryptProtectData (microsoft.com)