Unable to decrypt using DPAPI. Invocation of CryptUnprotectedData failed


The Cibecs Agent cannot access files with the current DPAPI keys, usually caused by the DPAPI master key changing.

How to identify the problem

Backups will start failing for the user where the DPAPI master keys changed and the Cibecs Protection Agent will display the below error notifying the user of the problem when attempting a restore.


The log file will have entries similar to the below on backups attempts.

2021-08-30 22:26:39.520 ERROR 5944 --- [Backup-5] m.c.d.store.client.backup.BackupSession : Failed to build snapshot

mu.cibecs.dedupe.store.client.backup.snapshot.SnapshotBuilderException: Failed to build snapshot proto
at mu.cibecs.dedupe.store.client.backup.snapshot.SnapshotBuilder.build(SnapshotBuilder.java:118)
at mu.cibecs.dedupe.store.client.backup.snapshot.SnapshotBuilder.build(SnapshotBuilder.java:66)
at mu.cibecs.dedupe.store.client.backup.BackupSession.completed(BackupSession.java:400)
at mu.cibecs.agent.backup.dedupe.DedupeBackupSessionAdapter.endSession(DedupeBackupSessionAdapter.java:171)
at mu.cibecs.agent.backup.BackupService.runBackup(BackupService.java:205)
at mu.cibecs.agent.backup.BackupService.lambda$backupNow$0(BackupService.java:150)
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: Unable to decrypt using DPAPI. Invocation of CryptUnprotectData failed

What caused this problem?

There is a problem calling the Data Protection API CryptUnprotectData function. This could be caused by the user password on the device being out of sync with the password on the domain controller, or a domain migration took place causing new master keys to be created or the DPAPI master key becoming corrupt.

How do I resolve this problem?

Follow the Microsoft troubleshooting guides around DPAPI if you suspect that it might be password-related or a corrupt master key.

If this was caused by domain migrations. The Discovery agent cache will have to be cleared, the device will be rediscovered on the new domain and the user will have to be reactivated. Keep in mind that you will need to register a new AD Connector for the 2nd domain.