Windows DPAPI - what to do with entropy?

Entropy is a secondary key that is specific to the application that is protecting data. The general idea, if I remember correctly, was to allow multiple applications to encrypt data under a single user account, but still maintain security between each other. For example, Your application may encrypt data under UserA. If My application wished to decrypt that data under UserA, there really isn't anything to stop my from doing so, as the DPAPI uses the users key. However, if you factor in an application specific "entropy", then I would need to know your entropy to decrypt any data to protect for UserA.

Entropy could be considered analogous to salt, in that it is an additional key or secret used to further abstract the encrypted content. Unlike salt, your application's entropy would need to remain the same for every encryption operation under a given credential. With salt, its generally best to change it as often as you can.

Entropy is essentially an additional key, and it should be treated like any other cryptographic key. Keep it private and secure.

BTW, I think 'entropy' was an atrocious word to use for this purpose. Something like 'differentiator', or perhaps even coining a word like 'distinctifier', would have been better. :P Very confusing term use.

One use of additional entropy is to password protect the application itself. A key derived from the password can be used as entropy while storing application data. Otherwise any process running under the user's context may be able to decrypt the data. If you store the additional entropy instead of prompting for a password, it could still be targeted by a rogue application.