Data Encryption
Microsoft Provisioning Framework (MPF) provides encryption of
stores for three categories of potentially sensitive data:
- Transaction state in transaction logs-Transactions and
rollback data are encrypted if the request XML contains a procedure
or lower-level execute node marked with a sensitive attribute. For
transaction logs and the configuration database, MPF uses a
two-tier symmetric key encryption algorithm that employs the same
key for both encrypting and decrypting. In this system,
transactions are encrypted with a unique key. Data is stored in a
payload containing user information and the state of the
transaction, referenced by a transaction ID in the database. In
turn, each transaction key is encrypted with a master key generated
from a password stored in the configuration database. The encrypted
payload and the encrypted transaction key are both stored in the
transaction log and referenced by a transaction ID. After the
transaction key is decrypted, it is used to decrypt the payload
message to extract the user's data.
- Provisioning settings in the Microsoft Windows
registry-Provisioning settings are encrypted using the same
two-tier symmetric key encryption that is used for transaction
state in transaction logs.
- User credentials stored in the configuration
database-The Windows registry stores MPF registry keys in
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning. Windows
encrypts settings for the Audit and Recovery service, provisioning
engine, and queue manager using an encryption key it generates from
the account that the component is running under. For example, by
default, it encrypts registry settings for provisioning engines
using a key generated from MPFServiceAcct.
Not all MPF data is encrypted. Data is not encrypted for the
audit log, Provisioning Queue Manager service, or Client registry
key.
Important
The MPF data encryption architecture assumes that the system is
secure and that keys will be stored in a safe place. If the
configuration database is corrupted or destroyed so that the master
key can no longer be retrieved, it will be impossible to access
data in the transaction logs. For this reason, it is recommended
that MPF installations have backup computers running SQL Server for
the configuration database and transaction logs.