Microsoft® Provisioning Framework (MPF) stores three categories of potentially sensitive data:
For transaction logs and the configuration database, MPF uses a two-tier symmetric key encryption algorithm that uses the same key for both encrypting and decrypting. In this system, transactions are encrypted with a unique key. Data is stored in a payload containing user information and the state of the transaction, referenced by a transaction ID in the database. In turn, each transaction key is encrypted with a master key generated from a password stored in the configuration database. The encrypted payload and the encrypted transaction key are both stored in the transaction log and referenced by a transaction ID. After the transaction key is decrypted, it is used to decrypt the payload message to extract the user's data.
Note The MPF data encryption architecture assumes that the system is secure and that keys are stored in a safe place. If the configuration database is corrupted or destroyed so that the master key can no longer be retrieved, it will be impossible to access data in the transaction logs. For this reason, MPF installations should have backup SQL servers for the configuration database and transaction logs.
The Windows registry stores MPF registry keys in \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning. Windows encrypts settings for the Audit and Recovery Service, Engine, and Queue Manager keys using an encryption key it generates from the account that the component is running under. For example, by default, it encrypts registry settings for provisioning engines using a key generated from MPFServiceAcct.