The underlying tech is Windows DPAPI and .NET's use of it via ProtectedData. In our scenario, we have an application that runs across various servers, Web Api's, websites that users can log into and windows services running in the background. All of which run under a specific AD account for the application.
The encryption keys are stored against the profile and this allows all components to access the data. All working ok.
However, is there an inherent risk in associating the keys with an AD profile in that any manipulation/corruption to the profile may result in the application no longer being able to access the data? Or is this risk so low as to be negligible?
Would it be better to use .NET's other cryptographic objects to store the key at an application level so that AD is not involved?
I had initially searched on the site and found this post on symmetric encryption and linked to a good whitepaper by Microsoft which does outline some of the weaknesses of DPAPI but doesn't quite address whether it's appropriate for a large, somewhat distributed application. I think there's some risk but I don't know if it's high enough to be worried about in the long term.