Data Protection Application Programming Interface
DPAPI is the built-in Windows service that applications use to encrypt secrets like saved browser passwords, Wi-Fi keys, and certificates, with keys derived from the user's logon credentials. It spares developers from managing encryption keys themselves. Attackers who compromise a user or domain can abuse DPAPI to decrypt those stored secrets, and the domain backup key is a crown-jewel target because it can unlock DPAPI data for every user in the domain.