System Service: Allow Admins to Impersonate User for Recovery

Discussion in 'Security Software' started by Jeffrey Walton, May 30, 2011.

  1. Hi All,

    I'm working with a suite which allows users to work with encrypted
    data. The data is encrypted under a key which is encrypted with DPAPI
    (ie, tied to a user's account). So the user calls CryptUnprotectData
    to retrieve their bulk encryption key, and then performs bulk
    encryption using that key.

    The software needs to allow an administrator to recover the encrypted
    data. I believe that means an administrator needs to be able to call
    CryptUnprotectData under a user's context to recover the key.

    Is there an API call which allows a System Service to impersonate a
    user *without* the user's password? Or do I need to look to other
    functions/methods for the recovery effort?

    Thanks in advance,
    Jeffrey Walton, May 30, 2011
    1. Advertisements

  2. I believe that the administrator will need to have its own encrypted
    bulk decryption key in order to act as a recovery agent. That is to say
    that when the bulk key is encrypted and the user gets his personal key
    (tied to his account) - one should also be made for the recovery agent
    (tied to his account).

    EFS either prompts the user to do so, or defaults to making the
    Administrator account a recovery agent.
    I think so, but I can't help you there. I figure it probably
    impersonates in a more limited manner.
    I think that you have to plan ahead for recovery by making another key.
    FromTheRafters, May 30, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.