none
Best Method to Protect Encryption Key in Windows Registry

    Question

  • Greetings group,

    I have a general, best-practice question regarding stored encryption keys within the Windows registry.  We have a custom application that utilizes encryption to protect a sensitive database.  The master key for this encrypted database resides within the registry (in a Windows 2008 R2 server) in cleartext.  My concern is  since the master decryption key is stored in cleartext in the registry, whenever this server is backed up or admin folks log in the risk exists for someone to discover the key and have access to the encrypted database that they should not have.

    I would be interested in getting your thoughts on what are some possible ways to further secure this key? Does the registry support encryption? Are there third party tools that can help in securing the registry?

    Thanks,


    Nes

    Friday, November 01, 2013 7:09 PM

Answers

  • > Does the registry support encryption?

    no.

    > Are there third party tools that can help in securing the registry?

    yes, for example registry permissions. However there is no way to protect registry from administrators.

    storing encryption keys in plaintext registry is a bit ridiculous. The only thing you can de here is:

    1) protect registry key to allow access to a user account under which your application runs via registry permissions.

    2) Consider to encrypt backups with external tool (something like PGP)


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by Nestor Cabrera Monday, November 04, 2013 3:24 PM
    Saturday, November 02, 2013 7:53 AM
  • > Does the registry support encryption?

    no.

    > Are there third party tools that can help in securing the registry?

    yes, for example registry permissions. However there is no way to protect registry from administrators.

    storing encryption keys in plaintext registry is a bit ridiculous. The only thing you can de here is:

    1) protect registry key to allow access to a user account under which your application runs via registry permissions.

    2) Consider to encrypt backups with external tool (something like PGP)


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    While it is true that you cannot encrypt the registry, it isn't true that you cannot encrypt entries in the registry, though that is up to the application. For example, FIM CM encrypts the CA exit module connection string and the passwords for some of the agent accounts and stores the encrypted strings in the registry. It uses DPAPI to encrypt these values.

    Given that the vendor of your particular application has chosen to store the encryption keys in clear text, I'd have to question the entire security of the application. The vendor clearly doesn't understand security.

    • Marked as answer by Nestor Cabrera Monday, November 04, 2013 3:24 PM
    Saturday, November 02, 2013 3:22 PM

All replies

  • > Does the registry support encryption?

    no.

    > Are there third party tools that can help in securing the registry?

    yes, for example registry permissions. However there is no way to protect registry from administrators.

    storing encryption keys in plaintext registry is a bit ridiculous. The only thing you can de here is:

    1) protect registry key to allow access to a user account under which your application runs via registry permissions.

    2) Consider to encrypt backups with external tool (something like PGP)


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by Nestor Cabrera Monday, November 04, 2013 3:24 PM
    Saturday, November 02, 2013 7:53 AM
  • > Does the registry support encryption?

    no.

    > Are there third party tools that can help in securing the registry?

    yes, for example registry permissions. However there is no way to protect registry from administrators.

    storing encryption keys in plaintext registry is a bit ridiculous. The only thing you can de here is:

    1) protect registry key to allow access to a user account under which your application runs via registry permissions.

    2) Consider to encrypt backups with external tool (something like PGP)


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    While it is true that you cannot encrypt the registry, it isn't true that you cannot encrypt entries in the registry, though that is up to the application. For example, FIM CM encrypts the CA exit module connection string and the passwords for some of the agent accounts and stores the encrypted strings in the registry. It uses DPAPI to encrypt these values.

    Given that the vendor of your particular application has chosen to store the encryption keys in clear text, I'd have to question the entire security of the application. The vendor clearly doesn't understand security.

    • Marked as answer by Nestor Cabrera Monday, November 04, 2013 3:24 PM
    Saturday, November 02, 2013 3:22 PM
  • Thanks for clarification, Paul. I assumed about registry key encryption in a user context. That is, if application runs under specific user account, user accoun is able to extract encryption key in any way. Moreover, I doubt that it is possible to protect encryption key from administrator, because administrator have access to any user account on the system, so the answer is "no", there is no reliable solution for this question. Eventually, if you don't trust your administrator, there is a problem with your staff.

    And yes, I agree that vendor has wrong understanding in security.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Saturday, November 02, 2013 6:43 PM
  • Hi,

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, November 04, 2013 8:09 AM