Mike Swanson
87c6e17d4a
Store the per-machine cak_ with BOTH layers Mike locked: DPAPI-machine encryption (CryptProtectData with CRYPTPROTECT_LOCAL_MACHINE — a copied blob is inert off the box) inside a SYSTEM/Administrators-only ACL'd file at %ProgramData%\GuruConnect\credentials\agent.cak. The directory + file ACL is hardened via icacls (/inheritance:r + grant to the well-known SIDs *S-1-5-18 and *S-1-5-32-544, locale-independent) — auditable, with far less unsafe FFI than building a registry-key security descriptor by hand. Co-locates with the existing %ProgramData%\GuruConnect config/seed dir. Provides store_cak / load_cak / clear_cak. store_cak writes atomically (temp file + rename in the locked dir). load_cak treats a present-but- undecryptable blob as a hard error (tamper / cross-machine copy) rather than silently re-enrolling over it. The plaintext is never logged; the transient plaintext copy is scrubbed after encryption. DPAPI output blobs are LocalFree'd. Enables the Win32_Security_Cryptography windows feature. Round-trip unit tests cover encrypt/decrypt recovery across lengths and that a tampered blob fails to decrypt (DPAPI authenticates its blobs). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2.6 KiB
2.6 KiB