program Project1;

{$APPTYPE CONSOLE}

{$R *.res}

uses
  System.SysUtils,
  Security.Cryptographic.ProtectedData;

procedure SmallTest( );
var
  inStr, outStr: string;
  inBuffer, outBuffer, encrypted: TBytes;
begin
  inStr := 'Some Secret Data Here';
  WriteLn( inStr );
  inBuffer := TEncoding.UTF8.GetBytes( inStr );
  encrypted := TProtectedData.Protect( inbuffer ); // verschlüsseln
  outBuffer := TProtectedData.Unprotect( encrypted ); // entschlüsseln
  outStr := TEncoding.UTF8.GetString( outBuffer );
  WriteLn( outStr );
end;

begin
  try
    SmallTest( );
  except
    on E: Exception do
      Writeln( E.ClassName, ': ', E.Message );
  end;
  ReadLn;
end.

unit Security.Cryptographic.ProtectedData;

interface

uses
  System.SysUtils;

{$SCOPEDENUMS ON}

type
  TDataProtectionScope = (
    CurrentUser = $00,
    LocalMachine = $01 );

  TProtectedData = class
  strict private
    const
      DefaultDataProtectionScope = TDataProtectionScope.CurrentUser;
  public
    class function Protect( const AUserData: TBytes; AScope: TDataProtectionScope = DefaultDataProtectionScope ): TBytes; overload; static;
    class function Protect( const AUserData: TBytes; const AOptionalEntropy: TBytes; AScope: TDataProtectionScope = DefaultDataProtectionScope ): TBytes; overload; static;
    class function Unprotect( const AEncryptedDataData: TBytes; AScope: TDataProtectionScope = DefaultDataProtectionScope ): TBytes; overload; static;
    class function Unprotect( const AEncryptedDataData: TBytes; const AOptionalEntropy: TBytes; AScope: TDataProtectionScope = DefaultDataProtectionScope ): TBytes; overload; static;
  end;

implementation

{$IFDEF MSWINDOWS}
uses
  Winapi.Windows,
  Winapi.DataProtectApi;
{$ENDIF}

{ TProtectedData }

class function TProtectedData.Protect( const AUserData, AOptionalEntropy: TBytes; AScope: TDataProtectionScope ): TBytes;
{$IFDEF MSWINDOWS}
var
  dataIn, dataOut, entropy: DATA_BLOB;
  pEntropy: PDATA_BLOB;
  flags: DWORD;
begin
  if Length( AUserData ) = 0 then
    raise EArgumentException.Create( 'AUserData' );

  dataOut.cbData := 0;
  dataOut.pbData := nil;

  dataIn.cbData := length( AUserData );
  dataIn.pbData := @AUserData[0];

  if Length( AOptionalEntropy ) > 0 then
  begin
    entropy.cbData := length( AOptionalEntropy );
    entropy.pbData := @AOptionalEntropy[0];
    pEntropy := @entropy;
  end
  else
    pEntropy := nil;

  flags := CRYPTPROTECT_UI_FORBIDDEN;
  if AScope = TDataProtectionScope.LocalMachine then
    flags := flags or CRYPTPROTECT_LOCAL_MACHINE;

  if not CryptProtectData( @dataIn, nil, pentropy, nil, nil, flags, @dataOut ) then
    RaiseLastOsError;

  SetLength( Result, dataOut.cbData );
  move( dataOut.pbData^, Result[0], dataOut.cbData );
  LocalFree( HLOCAL( dataOut.pbData ) );
end;
{$ELSE}
begin
  raise ENotImplementedException.Create( 'Not Implemented' );
end;
{$ENDIF}

class function TProtectedData.Protect( const AUserData: TBytes; AScope: TDataProtectionScope ): TBytes;
var
  Entropy: TBytes;
begin
  Entropy := [];
  Result := TProtectedData.Protect( AUserData, Entropy, AScope );
end;

class function TProtectedData.Unprotect( const AEncryptedDataData, AOptionalEntropy: TBytes; AScope: TDataProtectionScope ): TBytes;
{$IFDEF MSWINDOWS}
var
  dataIn, dataOut, entropy: DATA_BLOB;
  pEntropy: PDATA_BLOB;
  flags: DWORD;
begin
  if Length( AEncryptedDataData ) = 0 then
    raise EArgumentException.Create( 'AEncryptedDataData' );

  dataOut.cbData := 0;
  dataOut.pbData := nil;

  dataIn.cbData := length( AEncryptedDataData );
  dataIn.pbData := @AEncryptedDataData[0];

  if Length( AOptionalEntropy ) > 0 then
  begin
    entropy.cbData := length( AOptionalEntropy );
    entropy.pbData := @AOptionalEntropy[0];
    pEntropy := @entropy;
  end
  else
    pEntropy := nil;

  flags := CRYPTPROTECT_UI_FORBIDDEN;
  if AScope = TDataProtectionScope.LocalMachine then
    flags := flags or CRYPTPROTECT_LOCAL_MACHINE;

  if not CryptUnprotectData( @dataIn, nil, pentropy, nil, nil, flags, @dataOut ) then
    RaiseLastOsError;

  SetLength( Result, dataOut.cbData );
  move( dataOut.pbData^, Result[0], dataOut.cbData );
  LocalFree( HLOCAL( dataOut.pbData ) );
end;
{$ELSE}
begin
  raise ENotImplementedException.Create( 'Not Implemented' );
end;
{$ENDIF}

class function TProtectedData.Unprotect( const AEncryptedDataData: TBytes; AScope: TDataProtectionScope ): TBytes;
var
  Entropy: TBytes;
begin
  Entropy := [];
  Result := Unprotect( AEncryptedDataData, Entropy, AScope );
end;

end.

unit Winapi.DataProtectApi;

interface

uses
  Winapi.Windows;

const
  CRYPTPROTECT_UI_FORBIDDEN = UINT( $01 );
{$EXTERNALSYM CRYPTPROTECT_UI_FORBIDDEN}
  CRYPTPROTECT_LOCAL_MACHINE = UINT( $04 );
{$EXTERNALSYM CRYPTPROTECT_LOCAL_MACHINE}
  CRYPTPROTECT_CRED_SYNC = UINT( $08 );
{$EXTERNALSYM CRYPTPROTECT_CRED_SYNC}
  CRYPTPROTECT_AUDIT = UINT( $010 );
{$EXTERNALSYM CRYPTPROTECT_AUDIT}
  CRYPTPROTECT_NO_RECOVERY = UINT( $020 );
{$EXTERNALSYM CRYPTPROTECT_NO_RECOVERY}
  CRYPTPROTECT_VERIFY_PROTECTION = UINT( $040 );
{$EXTERNALSYM CRYPTPROTECT_VERIFY_PROTECTION}

type
  PCryptoApiBlob = ^TCrypeoApiBlob;
  _CRYPTOAPI_BLOB = record
    cbData: DWORD;
    pbData: PBYTE;
  end;
{$EXTERNALSYM _CRYPTOAPI_BLOB}

  TCrypeoApiBlob = _CRYPTOAPI_BLOB;

  CRYPT_INTEGER_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRYPT_INTEGER_BLOB}
  PCRYPT_INTEGER_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRYPT_INTEGER_BLOB}
  CRYPT_UINT_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRYPT_UINT_BLOB}
  PCRYPT_UINT_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRYPT_UINT_BLOB}
  CRYPT_OBJID_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRYPT_OBJID_BLOB}
  PCRYPT_OBJID_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRYPT_OBJID_BLOB}
  CERT_NAME_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CERT_NAME_BLOB}
  PCERT_NAME_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCERT_NAME_BLOB}
  CERT_RDN_VALUE_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CERT_RDN_VALUE_BLOB}
  PCERT_RDN_VALUE_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCERT_RDN_VALUE_BLOB}
  CERT_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CERT_BLOB}
  PCERT_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCERT_BLOB}
  CRL_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRL_BLOB}
  PCRL_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRL_BLOB}
  DATA_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM DATA_BLOB}
  PDATA_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PDATA_BLOB}
  CRYPT_DATA_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRYPT_DATA_BLOB}
  PCRYPT_DATA_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRYPT_DATA_BLOB}
  CRYPT_HASH_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRYPT_HASH_BLOB}
  PCRYPT_HASH_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRYPT_HASH_BLOB}
  CRYPT_DIGEST_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRYPT_DIGEST_BLOB}
  PCRYPT_DIGEST_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRYPT_DIGEST_BLOB}
  CRYPT_DER_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRYPT_DER_BLOB}
  PCRYPT_DER_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRYPT_DER_BLOB}
  CRYPT_ATTR_BLOB = _CRYPTOAPI_BLOB;
{$EXTERNALSYM CRYPT_ATTR_BLOB}
  PCRYPT_ATTR_BLOB = PCryptoApiBlob;
{$EXTERNALSYM PCRYPT_ATTR_BLOB}

  PCryptProtectPromptStruct = ^TCryptProtectPromptStruct;
  _CRYPTPROTECT_PROMPTSTRUCT = record
    cbSize: DWORD;
    dwPromptFlags: DWORD;
    hwndApp: HWND;
    szPrompt: LPCWSTR;
  end;
{$EXTERNALSYM _CRYPTPROTECT_PROMPTSTRUCT}

  TCryptProtectPromptStruct = _CRYPTPROTECT_PROMPTSTRUCT;

  PCRYPTPROTECT_PROMPTSTRUCT = ^_CRYPTPROTECT_PROMPTSTRUCT;
{$EXTERNALSYM PCRYPTPROTECT_PROMPTSTRUCT}
  CRYPTPROTECT_PROMPTSTRUCT = _CRYPTPROTECT_PROMPTSTRUCT;
{$EXTERNALSYM CRYPTPROTECT_PROMPTSTRUCT}

function CryptProtectData( pDataIn: PDATA_BLOB; szDataDescr: LPCWSTR; pOptionalEntropy: PDATA_BLOB; pvReserved: PVOID; pPromptStruct: PCRYPTPROTECT_PROMPTSTRUCT; dwFlags: DWORD; pDataOut: PDATA_BLOB ): BOOL; stdcall;
{$EXTERNALSYM CryptProtectData}
function CryptUnprotectData( pDataIn: PDATA_BLOB; szDataDescr: LPCWSTR; pOptionalEntropy: PDATA_BLOB; pvReserved: PVOID; pPromptStruct: PCRYPTPROTECT_PROMPTSTRUCT; dwFlags: DWORD; pDataOut: PDATA_BLOB ): BOOL; stdcall;
{$EXTERNALSYM CryptUnprotectData}

const
  crypt32 = 'crypt32.dll';

implementation

function CryptProtectData; external crypt32 name 'CryptProtectData';
function CryptUnprotectData; external crypt32 name 'CryptUnprotectData';

end.