Is it appropriate to tie application-level encryption keys to AD profile

Question

The underlying tech is Windows DPAPI and .NET's use of it via ProtectedData. In our scenario, we have an application that runs across various servers, Web Api's, websites that users can log into and windows services running in the background. All of which run under a specific AD account for the application.

The encryption keys are stored against the profile and this allows all components to access the data. All working ok.

However, is there an inherent risk in associating the keys with an AD profile in that any manipulation/corruption to the profile may result in the application no longer being able to access the data? Or is this risk so low as to be negligible?

Would it be better to use .NET's other cryptographic objects to store the key at an application level so that AD is not involved?

I had initially searched on the site and found this post on symmetric encryption and linked to a good whitepaper by Microsoft which does outline some of the weaknesses of DPAPI but doesn't quite address whether it's appropriate for a large, somewhat distributed application. I think there's some risk but I don't know if it's high enough to be worried about in the long term.

Answer 1

Looking at some of the risks/issues/questions:

1. AD was never designed for online use with issues like what we saw in 2016.
2. Do the service account meet the Principle of least privilege?
3. Integrity : What happens when the profile gets corrupted? Do you have backups? Are they encrypted?
4. Confidentiality : How confidential is the data and how much will a breach cost you?
5. Availability : How long of an outage can you afford?
6. Detecting a breach : Are you monitoring for unusual activity?
7. After a breach : Can you revoke the keys? How do you issue new keys?
8. Other options designed for distributed systems such as vault or octopus deploy
9. Knowns

It depends on the industry you are in that will effect your risk. It's rarely a single persons decision and should be communicated to the business.

tl dr Personally I would advise against AD for a distributed system as a glorified key store as MS has Key Store Management Services.