I am looking for a way to store a secret on a Windows computer so that even the administrator cannot access it.
But executables that are signed with a specific code signing certificate should be able to access that secret without user interaction.
I was thinking about using the following approach:
- Create a new Windows user "SecretKeeper" with a random password that is not known to any user.
- Install a Windows Service running under the SecretKeeper user account. (The Service can be started automatically by Windows without anyone else knowing the password of SecretKeeper)
- Give the secret to that Service, have it store the file on the file system and encrypt it using the Windows File Encryption API (so only that specific user SecretKeeper can read the file)
- When an application needs the secret, it can communicate with the service in a way so that the service can check the code signature of the executable before sending the secret.
Problem with this approach is that an administrator can exchange the service executable with their own executable that is then started running as SecretKeeper and can decrypt the file.
Is there some way to make sure the executable for an installed Windows service is not exchanged even by the administrator or is there maybe a completely different approach to achieve the goal of hiding a secret even from the administrator?
Note: I am aware that a local administrator of a Windows computer has other means to access process memory of running processes or watch communication between processes and that there would have to be other mechanisms to prevent that.
This question is similar to the following questions: