CNG is designed to isolate keys. The provider loaded via this function typically isolates keys by user profile. If a process is running under a specific user account, the provider will generally only have access to that user's keys unless the application performs impersonation or accesses machine-level key stores.
Subsequent calls to reopen the provider will fail with 0x80070006 (ERROR_INVALID_HANDLE), and the only "official" fix is to restart the entire application. Other Notable Insights
The handle returned by NCryptOpenStorageProvider is a sensitive resource. It represents a context with the security subsystem. Failing to close the handle using NCryptFreeObject leads to resource leaks. In server applications, this can eventually lead to handle exhaustion. ncryptopenstorageprovider
: Modern authentication methods like Windows Hello rely on the Microsoft Platform Crypto Provider (accessible via this function) to use the TPM for protecting biometric-linked keys.
// Cleanup: Free the provider handle NCryptFreeObject(hProvider); CNG is designed to isolate keys
NCRYPT_PROV_HANDLE hProvider = NULL; SECURITY_STATUS status;
This function creates a "context" or "session" with a specific Key Storage Provider (KSP). Once the handle is obtained, the application can perform subsequent operations such as: Subsequent calls to reopen the provider will fail
Reliable and Secure – A Must-Have for Encrypted Storage Needs
