DPAPI on Windows provides functions to encrypt and decrypt arbitrary data. Functions provided by DPAPI include CryptProtectMemory, CryptUnprotectMemory, CryptProtectData and CryptUnprotectData. I suspect that functions RtlEncryptMemory and RtlDecryptMemory from ntsecapi.h also use DPAPI, altough it's not stated in documentation.
In the past, security of the encryption key was apparently based on user's credentials [1]. If a TPM is available, will DPAPI use it to protect its encryption key instead? If so, for which of the functions previously listed is this true?
In the event that an attacker can dump the entire RAM (e.g. through DMA), will the sensitive data encrypted with DPAPI be protected? Assume that the attacker cannot access the TPM in this scenario.
[1] https://learn.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)
I tried to search through available Microsoft documentation for all the functions listed, documentation for DPAPI and documentation for how Windows uses TPM (CNG etc.). I also explored papers reversing DPAPI like this one: https://elie.net/static/files/recovering-windows-secrets-and-efs-certificates-offline/recovering-windows-secrets-and-efs-certificates-offline-paper.pdf
Unfortunately, the information is either outdated or too general to be useful.
CNG DPAPI consists of two functions,
CryptProtectDataandCryptUnprotectData. The Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions, primarily involving encryption keys.In contrast to software-only CNG providers, TPM features provide key protection. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. As far as I'm concerned,to protect key, you could try to create keys in the TPM instead of storing the key in the TPM.
For more details, I suggest you could refer to the Docs:
TPM fundamentals
How Windows uses the Trusted Platform Module