We have a tool running on WinPE (Windows PreInstallation Environment) which talks to a web service. A user enters his login credentials and the web service authenticates the user and returns an authentication token. I want to securely store this token on the system for sending this with subsequent requests.
DPAPI Looks like DPAPI won't be secure enough as there won't be any user account (neither local not domain) in the WinPE. This question
How can this be achieved?
Summary: unless you have very specific requirements, just use the decent tools Microsoft has provided.
DPAPI allows you to encrypt with user specific or computer specific keys. On a typical shared machine it is slightly less safe to store data for one user in computer context.
If your WinPE environment is short lived, e.g. the tool runs and then it shuts down, it should be quite safe to use “current computer” mode. You can do this by setting dwFlags to CRYPTPROTECT_LOCAL_MACHINE when calling CryptProtectData.
At this point your secret data is stored on disk using encryption which should be well implemented and tested by Microsoft. This is better than rolling your own crypto.
Risks now are:
pOptionalEntropy to CryptProtectData. This is effectively a “password” and would force an attacker to also reverse engineer your program to obtain the additional entropy. However, if someone can run code it should be game over for most sensible threat models. If you control the web application, also consider best practises like risk scoring API token usage. Has the client IP changed? Has the bowser changed? Is the client trying to conduct a privileged operation? Each of these can increase a risk score and perhaps trigger extra validation.
