ProtectionDescriptor Property
The CNG protection descriptor.
Syntax
property ProtectionDescriptor: String read get_ProtectionDescriptor write set_ProtectionDescriptor;
Default Value
''
Remarks
This property specifies the protection descriptor rule string. The protection descriptor is used by the system to decide which entities can unprotect the data at a later time. This property must be specified before calling Protect. This property is populated after calling Unprotect.
Protection descriptors can be defined for the following types of authorization:
- A local user or machine
- An account or group in an Active Directory forest
- A set of web credentials
- A certificate in the user's certificate store
A local user or machine may be used for machines that are or are not on a domain. For instance:
- LOCAL=user
- LOCAL=machine
The use of SID and SDDL requires that the machine be part of a domain. For instance:
- SID=S-1-5-21-4392301 AND SID=S-1-5-21-3101812
- SDDL=O:S-1-5-5-0-290724G:SYD:(A;;CCDC;;;S-1-5-5-0-290724)(A;;DC;;;WD)
Certificates may also be used as a descriptor. To decrypt, the certificate with corresponding private key must be present in the user's certificate store. The public certificate can be specified as the SHA1 thumbprint (hash) of the certificate, or the base64 encoded certificate itself. For instance:
- CERTIFICATE=HashID:28ac375635b82ca3e20a1c9422145bc93965dae7
- CERTIFICATE=CertBlob:MIIC7TCCAdWgAw...pgpVgYpppr
The use of AND and OR operators are accepted in order to encrypt data for multiple parties or establish multiple conditions for decryption.
For more details about protection descriptors and accepted formats please refer to the Microsoft Documentation for Protection Descriptors
This setting is only applicable when UseCNG is set to True.