SecureStore for Windows

Use the SecureStore API in conjunction with the LogonCore API to provide secure client login functionality.

The DataVault class implements an encrypted, password-protected secure store. There are two overloaded methods used to create a datavault:
  • Creating a datavault - Option one:
    //Create a datavault by providing an id and password for the datavault
    var vault = await SAP.SecureStore.DataVault.CreateVaultAsync("id", "newpassword");
  • Creating a datavault - Option two:
    //create a datavault by additionally providing a password policy.  
    //This password policy can determine complexity of the password, number of retries etc. 
    var vault = await SAP.SecureStore.DataVault.CreateVaultAsync("id", "newpassword", policy);
Delete the datavault by calling the DeleteVaultAsync method, passing in the id of the datavault. The developer normally does this to destroy all data in the datavault:
await SAP.SecureStore.DataVault.DeleteVaultAsync(id);
Depending on the needs of the application, the developer can create and store secure information in a datavault.


Some basic operations that can be performed on the SecureStore:

try {
	SAP.SecureStore.DataVault vault = null;
	// check if the vault exists
	if (await SAP.SecureStore.DataVault.VaultExistsAsync("id")) {
		vault = await SAP.SecureStore.DataVault.GetVaultAsync("id");
		bool invalidPassword = false;
		try {
			await vault.UnlockAsync("oldpassword");
		} catch (Exception) {
			invalidPassword = true;
		// if the old password is incorrect we try the new one
		if (invalidPassword) {
			await vault.UnlockAsync("newpassword");
		} else {
			// if the old password is valid we change it to the new one
			await vault.ChangePasswordAsync("oldpassword", "newpassword");
	} else {
		// create a new vault
		vault = await SAP.SecureStore.DataVault.CreateVaultAsync("id", "newpassword");

	// locking the store
	// unlocking it
	await vault.UnlockAsync("newpassword");

	// set a password policy
	await vault.SetPasswordPolicyAsync(new SAP.SecureStore.DataVaultPasswordPolicy() {
			IsEnabled = true,
			MinLength = 8,
			IsDefaultPasswordAllowed = false,
			HasDigits = true

	// write something into the store
	await vault.SetStringAsync("testkey", "abcdef");
	// read it back
	System.Diagnostics.Debug.WriteLine(await vault.GetStringAsync("testkey"));

	// writing binary data into the store
	await vault.SetValueAsync("binarykey", new byte[] {1, 2, 3});
	byte[] binaryValue = await vault.GetValueAsync("binarykey");
	System.Diagnostics.Debug.WriteLine(String.Join<byte>(", ", binaryValue));
	// deleteing the data
	await vault.DeleteValueAsync("binarykey");

	// enumerating the content
	var keys = vault.DataNames;
	foreach (var key in keys) {
		System.Diagnostics.Debug.WriteLine("key: " + key.Name);

	// deleting the store
	await SAP.SecureStore.DataVault.DeleteVaultAsync("id");
} catch (Exception exception) {
	if (exception is SAP.SecureStore.IDataVaultException) {
		System.Diagnostics.Debug.WriteLine("type: " + ((SAP.SecureStore.IDataVaultException)exception).Type.ToString());