Instead of storing a random session key blob, a derived key can be used. Derived session keys are created with a password by using the CryptDeriveKey function. In this way, instead of storing a particular derived key, an application can create a derived key as needed by prompting the user for the password.
Stored key blobs are dependent on the stability of the public/private key pairs stored within the CSP. If these key pairs are somehow lost, (for example, through a hardware or software incident), you will be unable to decrypt your key blobs. This means that any data that has been encrypted by using these keys will also be lost. For this reason, it is recommended that you use a backup authority when storing long-term archival data.
A backup authority is a trusted application running on a secure computer that provides storage for the session keys of its clients. All session keys stored there are encrypted in the form of key blobs by using the backup authority's public key. An application using a backup authority typically follows these steps:
If, at a later time, you lose your key pairs, you can retrieve the session keys from the backup authority. You will first have to establish your identity to the backup authority. The procedure for doing this is determined by the policy of the particular backup authority, and does not involve the CryptoAPI.