Hi,
I want to encrypt data before saving it to the database. The access to the data is controlled by the application. So anyone with Admin role should be able to see the data. I want to be able to protect the encryption key used to encrypt/decrypt the data. I dont want to use the DPAPI machine key since the server hosts multiple apps.
I was wondering if it is possible to create a service account and use that account's logon credential to encrypt the key in the web.config file.
Thanks
Ok, the answer is kinda yes and no depending on your stack..
If you're hosted on IIS 7 then you should be able to just use a dedicated app pool and use the new LoadUserProfile feature - which will allow DPAPI to make use of the user store.
IIS 6 doesn't have that feature so on that one the strict answer is no - but Microsoft have provided a nice example of how to get a similar end result. They use a service to do the encryption/decryption as the windows service control manager loads the user profile (thus allowing DPAPI to work)
Its a fairly length read, but should do the trick:
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication