Microsoft Windows 2000 and later versions expose the Data Protection API (DPAPI) that encrypts data for a per-user or per-system context. The caller does not provide a key with which to encrypt the data. Rather, the data is encrypted with a key derived from the user or system credentials.

This API is conveniently exposed in .NET via the ProtectedData class:

// Encrypts the data in a specified byte array and returns a byte array
// that contains the encrypted data.
public static byte[] Protect(
    byte[] userData,
    byte[] optionalEntropy,
    DataProtectionScope scope
)

// Decrypts the data in a specified byte array and returns a byte array
// that contains the decrypted data.
public static byte[] Unprotect(
    byte[] encryptedData,
    byte[] optionalEntropy,
    DataProtectionScope scope
)

Is there an equivalent API on Linux? A bonus would be that it integrates conveniently with Java.

What are my alternatives if there isn't one?

It doesn't look any more (or less) advanced than PGP, or Pretty Good Privacy. There are APIs available for PGP, and the one that I recall others speaking kindly of is Bouncy Castle.

Here's an example of how someone used Bouncy Castle.

Better APIs or solutions may be available, depending on your specific needs.

There are two options for user-level key stores on Linux:

• GnomeKeyring
• KWallet

This does not address the need for a system-level key store.