In the documentation about the CryptProtectData
function Microsoft tells to only use CryptProtectData with small buffers.
This call can be slow and a memory hog, and unreliable. Use only with small buffers.
CryptProtect/UnprotectData makes a call across RPC to the LSA where the actual encryption or decryption is done and RPC has upper limits on how much data can be passed. A general rule of thumb for encryption of large amounts of data is to protect the bulk with a symmetric key and then protect the symmetric key using CryptProtectData. Decryption is just a reversal and you’ll find better performance (avoid costly RPC operations) and are usually just as secure (dependent on symmetric algorithm used for the large block of data).
So what is this upper limit? Can I secure multiple passwords with a length of 256 Byte each with it?