Data protection and encryption

UserLock ensures the confidentiality and integrity of all communications between its components and securely stores all credentials handled by the service.

Published October 8, 2025

Communication encryption

All communications between UserLock agents, the UserLock desktop console, the Web console (Web App), and the UserLock service are fully encrypted.

This encryption protects credentials, authentication tokens, and session data exchanged across the network.

Key exchange

UserLock uses Elliptic-Curve Diffie–Hellman (ECDH) for key exchange, with standard elliptic curves:

  • ECDH 521-bit,

  • ECDH 384-bit,

  • ECDH 256-bit.

Each component generates its own private keys:

  • The UserLock service keeps private keys only for the duration of its current execution.

  • The UserLock agent creates new private keys for every new connection.

The final session key is derived from a SHA hash of the ECDH key:

  • SHA-384 or SHA-256 depending on the chosen curve.

Symmetric encryption

Once the key exchange is complete, all data transfers use AES encryption in CBC mode:

  • 256-bit AES when using SHA-384,

  • 128-bit AES when using SHA-256.

Encryption operations rely on the Windows Cryptography API: Next Generation (CNG) for optimal security and compliance with Microsoft standards.

Password storage

UserLock never stores credentials in plain text.
All passwords managed by the UserLock services are encrypted using the Windows Data Protection API (DPAPI), ensuring that only the intended service account can decrypt them.

Service account passwords

  • Passwords saved by the UserLock service are encrypted with DPAPI.

  • Only the UserLock service account (NETWORK_SERVICE) can decrypt these credentials.

Scheduled reports

When using scheduled reports, the SMTP password used for email delivery is stored by the UserLock Helper service:

  • DPAPI encryption is also used.

  • Only the LocalSystem account can decrypt this password.

Summary

  • All communications between UserLock components are encrypted using ECDH key exchange and AES symmetric encryption.

  • Encryption keys are ephemeral and renewed automatically for each session.

  • The CNG API ensures compatibility with Microsoft security standards.

  • Passwords are stored only in encrypted form using DPAPI, and are accessible exclusively to their corresponding Windows service accounts.

This architecture guarantees the confidentiality and integrity of all sensitive data managed by UserLock.