Open krwq opened 1 month ago
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones See info in area-owners.md if you want to be subscribed.
I'm not sure I like the names of any of these new enum members. NCRYPT_USE_PER_BOOT_KEY_FLAG doesn't seem to be on MSDN, so I can't say if the description offers a better description of what this means, and the Vbs
isn't (I don't think) a common enough concept yet that it's worthy of abbreviation... but the expanded form isn't really better.
So, they might all be "right", but I'm not sure I like them :)
I mainly matched the WinAPI names but will leave for API review to make a call which name they prefer - I think it's easier to mostly match existing WinAPI names but I'm personally not a fan of "VBS" in the name
namespace System.Security.Cryptography;
[Flags]
public enum CngKeyCreationOptions : int
{
// existing:
// None = 0x00000000,
// MachineKey = 0x00000020, // NCRYPT_MACHINE_KEY_FLAG
// OverwriteExistingKey = 0x00000080, // NCRYPT_OVERWRITE_KEY_FLAG
// new APIs:
PreferVbs = 0x00010000, // NCRYPT_PREFER_VBS_FLAG
RequireVbs = 0x00020000, // NCRYPT_REQUIRE_VBS_FLAG
UsePerBootKey = 0x00040000, // NCRYPT_USE_PER_BOOT_KEY_FLAG
}
Background and motivation
One of the Windows 11 builds has added framework to help secure Windows keys with virtualization-based security (VBS). With this new capability, keys can be protected from admin-level key theft attacks with negligible effect on performance, reliability, or scale.
Blog post: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/advancing-key-protection-in-windows-using-vbs/ba-p/4050988
Win API: https://learn.microsoft.com/en-us/windows/win32/api/ncrypt/nf-ncrypt-ncryptcreatepersistedkey
The proposal is to extend existing
CngKeyCreationOptions
API to include the new flags.API Proposal
API Usage
Alternative Designs
No response
Risks
Very low - new flags to existing API