How to Remove ACLs from CSP Key Containers

Using Cryptographic Service providers is the way to implement PKI on PCs and we are using it for our project. Lately I needed to remove some ACLs for an upgrade scenario.  I searched the msdn for related info but couldn’t find a direct API to change ACLs on key containers. Then Shawn  a security expert at Microsoft helped me to use RSACryptoServiceProvider object to alter keycontainer ACLs. If a modified CspParameters.CryptoKeySecurity RSACryptoServiceProvider  constructor, it will change the ACLs on key container. Actually you can use same method to add a new ACL, just add the desired rule using CryptoKeySecurity.AddAccessRule(rule). Here is a sample function to remove a user from key container access.

public void RemoveKeyContainerAccess(string userName, string CSPName, string keyContainerName)


            NTAccount account = GetAccount(userName);

            CspParameters cspParams = new CspParameters(1, CSPName, keyContainerName);

            cspParams.Flags = CspProviderFlags.UseMachineKeyStore;

            CspKeyContainerInfo container = new CspKeyContainerInfo(cspParams);


            //get the original acls first

            cspParams.CryptoKeySecurity = container.CryptoKeySecurity;


            //Search for the account given to us and remove it from accessrules

            foreach (CryptoKeyAccessRule rule in cspParams.CryptoKeySecurity.GetAccessRules(true, false, typeof(NTAccount)))


                if (rule.IdentityReference.Equals(account))



            //persist accessrules on key container.

            RSACryptoServiceProvider cryptoServiceProvider = new RSACryptoServiceProvider(cspParams);



Skip to main content