Windows Credential Manager - How it Works

• Basics
• Additional Info

Basics

Windows credential manager is a secure way to store sensitive information (“secrets”) on windows.

It uses symmetric encryption to encrypt the secrets. The encryption key (called the master key) is randomly generated for each user account (when you sign up for a user account). This master key is itself encrypted and protected using a key derived from the user’s Windows username and password.

When you log out of your Windows account, other accounts cannot decrypt your secrets. Even admin cannot generally decrypt your secrets, unless sophisticated forensics tools/techniques are used, which are not available to most users. They basically have to crack your windows username and password to decrypt your secrets.

Git credential manager, under the hood, uses Windows credential manager to store sensitive information such as your GitHub tokens.

Additional Info

It’s not just the windows master key that is used as the encryption key for your secrets. The key can also be derived from some additional entropy, provided by the application/requester. But you must provide this same entropy when you want to decrypt the secret. You can really think of this additional entropy as “salt”, it’s just an additional piece of information to derive the key from, but you must remember it and provide it when you want to decrypt.

Most applications do not provide/use the additional entropy.