ProtectedKeyProvider: stale aes_key.dat from cloned/imaged hosts causes silent 1053, no recovery path

[Christophe-Rogiers]

Description

When C:\ProgramData\Servy\security\aes_key.dat was DPAPI-protected under a different machine's LocalMachine master key (e.g., the host was cloned, imaged, OS-restored, or the file was copied from another system), ProtectedKeyProvider.GetOrGenerate throws CryptographicException: The data is invalid during service construction.

Servy's own log is clear and accurate:

[ERROR] Failed to unprotect key at C:\ProgramData\Servy\security\aes_key.dat. The file may have been moved from another machine.
[ERROR] Fatal error during service construction.

But the Windows Service never signals Started, so the Service Control Manager reports only the generic:

Error 1053: The service did not respond to the start or control request in a timely fashion.

Impact

• Admins diagnosing the failure see only the 1053 in services.msc / sc.exe / Event Log — the actionable error is buried in Servy's own log file, which is typically not the first place they look.
• There is no automatic recovery. The service will fail on every start indefinitely.
• Realistic trigger: any organisation that uses image-based Windows deployment (SCCM task sequence, MDT, Ghost, VMware clone) and has Servy installed in the gold image will hit this on every cloned host.

Reproduction

1. Install Servy on machine A, start the service so aes_key.dat is created.
2. Copy C:\ProgramData\Servy\security\aes_key.dat to machine B (or image machine A to B).
3. Start the Servy service on machine B.
4. Service fails with 1053; log shows CryptographicException: The data is invalid.

Suggested fixes (pick one or combine)

1. Event Log surface — when ProtectedKeyProvider fails with "data is invalid" on LocalMachine scope, write an entry to the Windows Application Event Log (not just Servy's private log) with source Servy and a clear message including the recovery command. Admins routinely check Event Viewer for 1053; Servy's private log they don't.
2. Dedicated recovery CLI command — e.g., servy-cli.exe reset-keys (or --reset-security-keys) that deletes the security folder with a confirmation prompt. Document it next to the error message.
3. Optional auto-heal flag at install time — Install-ServyService -AutoResetStaleKey — when set, the service constructor catches CryptographicException from ProtectedKeyProvider, deletes the corrupt key, regenerates, and logs what happened. Off by default (data loss implications), on for orgs that know their config is idempotent.
4. Service exit code — if the service can't be made to succeed, at least exit with a distinctive non-zero code (e.g., a Servy-specific code) so SCM/Event Log shows something more specific than 1053.

Workaround (for anyone else hitting this)

Stop-Service <YourServyServiceName> -Force
Remove-Item 'C:\ProgramData\Servy\security' -Recurse -Force
Start-Service <YourServyServiceName>

This wipes the stale key so Servy regenerates a fresh one bound to the current machine's DPAPI master. Safe if the service config is reinstalled from source on every deploy (no persistent Servy-encrypted state).

Environment

• OS: Windows 11 Enterprise 10.0.26200
• Trigger: cloned/imaged host

[aelassas]

I will be implementing Fixes 1, 2, and 4 in the upcoming release to ensure this surfaces clearly to administrators and fails fast.

Regarding Fix 3 (the optional auto-heal flag): I've decided against implementing this. Once the old aes_key.dat file is deleted and a new one is generated, any previous data encrypted with the old key becomes permanently unreadable. Silently wiping the key would leave the existing service configurations in the database corrupted and unreadable.

The safest migration path for anyone hitting this in a cloned/imaged environment is:

1. Export service configurations to XML or JSON on the original machine.
2. On the cloned machine, delete the Servy security and db folders to completely clear the stale state.
3. Import the services via the CLI, PowerShell, or Manager.

You will need to re-enter usernames and passwords if your services run under specific accounts, as those secrets are not exported for security reasons.

[Christophe-Rogiers]

Update: security/ sub-folder wipe is insufficient — need to wipe the entire C:\ProgramData\Servy\ root

After shipping a workaround that wiped C:\ProgramData\Servy\security\ before install, the CryptographicException still recurred on the affected host. DPAPI itself was healthy (in-process ProtectedData.Protect + Unprotect roundtrip under LocalMachine scope succeeded), so the corruption was living in Servy's own state — not in the OS master key.

Something between our security-folder wipe and the subsequent service start kept reintroducing the broken key. Suspected contributors (we didn't narrow it down further because the radical fix worked): stale encrypted config in Servy's SQLite DB (servy.db), a lingering servy-cli.exe / Servy.Manager.exe process handle, or a post-install step that rehydrates keys from stored state.

Working fix: wipe the full C:\ProgramData\Servy\ root before reinstalling, not just the security/ sub-folder. After this, Install-ServyService rebuilds everything from scratch and the service starts cleanly.

Updated workaround:

Stop-Service <ServyManagedServiceName> -Force -ErrorAction SilentlyContinue
Get-Process servy,servy-cli,Servy.Manager -ErrorAction SilentlyContinue | Stop-Process -Force
sc.exe delete <ServyManagedServiceName>
Remove-Item 'C:\ProgramData\Servy' -Recurse -Force
# reinstall the service

This strengthens the original "Suggested fixes" section — especially fix #2 (dedicated recovery CLI command): servy-cli.exe reset-keys probably needs to wipe the entire Servy data root, not just the key file, to cover whatever state-reintroduction path we hit here.

[aelassas]

A clone copies the files, but enterprise cloning intentionally destroys the cryptographic identity of the OS to prevent network conflicts. Since DPAPI is tied to that identity, the keys are left behind.

The safest path is to export service configurations to XML or JSON on the original machine.
On the cloned machine, delete the Servy security and db folders in %ProgramData%\Servy to completely clear the stale state.
Import the services via the CLI, PowerShell, or Manager.

​Breaking on clone is a feature, not a bug. ​If the encryption architecture allowed an aes_key.dat file to be copied to another machine and successfully decrypted, we wouldn't have a secure system; we would just have obfuscation. DPAPI is doing exactly what it was designed to do: ensuring that secrets tied to Machine A die with Machine A.

By making Servy fail loudly and clearly when the crypto boundary is crossed, we are actually forcing administrators to follow better deployment practices.

[aelassas]

Applied fix 1 and 4. Fix 3 not possible and Fix 2 too dangerous. For fix 2 I added explicit workaround in log message in event log and local file:

Failed to unprotect encryption key at 'C:\ProgramData\Servy\security\aes_key.dat'. The file may have been moved from another machine or restored from an image.

Workaround:
1. (If possible) Export service configurations to XML or JSON on the original machine.
2. On the new machine, backup and delete the following folders:
   - %ProgramData%\Servy\security
   - %ProgramData%\Servy\db
3. Import the services via the CLI, PowerShell, or Manager.
4. You will need to re-enter usernames and passwords if your services run under specific accounts, as those secrets are not exported for security reasons.

Exception: ...