GO Windows DPAPI Wrapper

The Windows DPAPI uses keys from the user and computer to encrypt data.

Encrypt and decrypt strings:

pwd := "password"
encrypted, _ := dpapi.Encrypt(pwd)
decrypted, _ := dpapi.Decrypt(encrypted)

Encrypt and decrypt byte arrays:

secret := []byte("isolateIndoors")
enc, _ := dpapi.EncryptBytes(secret)
dec, _ := dpapi.DecryptBytes(enc)

An encrypted string looks like this:

AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAAQ5GMbx570mklMuNAyFRhgAAAAACAAAAAAAQZgAAAAEAACAAAACe7tibTHuzIsKVO2adNjiXU9TM9F1eR95Yk0Wk8Kzj7gAAAAAOgAAAAAIAACAAAAA7quouOuNvn7eicqjE9aa75UZN+TAbokD35hTXbE7UOBAAAADEFNscRxOqxxheOIVdtbiQQAAAAC+UCYzQFtF7uRyhjXKnqCii8OHUtmB5LwIgJTx46uLukKGsOp60rGVPGn6ufiYYCRXiCQPAmQEKjsEE1jwqZto=

The package also supports machine specific encryption and encryption using entropy.

Developing

There is an application in /cmd/stable that creates a JSON file of encrypted values. The purpose is to create a stable encrypted value and then verify it can still be decrypted after any changes are made.

It creates a file named domain.computer.user.stable.json on the first run. On subsequent runs it tries to decrypt the values in the JSON file. It currently only tests per-user encryption. But this should allow testing of machine encryption and encryption with entropy.

References

• Data Protection API (wikipedia.org)
• Windows Data Protection (microsoft.com)
• Troubleshooting the DPAPI (microsoft.com)
• CryptProtectData function (microsoft.com)
• Example C Program: Using CryptProtectData (microsoft.com)