Comment on page
cloudapkd 🛠️
dpapi::cloudapkd
allows to decrypt via DPAPI the ProofOfPossesionKey (extracted from a Primary Refresh Token, a.k.a. PRT, e.g. cloudap) and thus recover the Clear key and the Derived Key./prt
: Primary Refresh Token, used for JWT token generation (can be found withsekurlsa::cloudap
)/iat
: Issued At, used for JWT token generation (Default: -112)/pop
: Proof-of-Possession (Unknown usage, Work In Progress)/label
: Object label, can be retrive fromkeyvalue
withunprotect
/context
: Used for JWT token generation (can be found with unprotect)/keyname
: Is necessary for opaque keys (when a TPM is used for example) duringunprotect
operation/keyvalue
: Part of ProofOfPossesionKey, can be found withsekurlsa::cloudap
. Unprotect this data to retrievecontext
,label
,clearkey
andderivedkey
/derivedkey
: used for JWT token generation (can be found with unprotect)/unprotect
: Decrypt the secret from DPAPI (masterkey
is optionnal, buttoken::elevate
is required)/masterkey
: master DPAPI key use to unprotect the secret (can be retrieved fromsekurlsa::dpapi
). This field is not mandatory, if absent the key will be found automatically
Last modified 1yr ago