Key blobs provide a way to store keys outside of the CSP. In Generating Cryptographic Keys it states that keys are always kept inside the CSP for safekeeping, and that applications are allowed access to the key only through a handle. Key blobs are the one exception to this rule.
Key blobs are created by exporting an existing key out of the provider by using the CryptExportKey function. Later, the key blob can be imported into a provider (often a different CSP on a different computer) by using the CryptImportKey function. This will create a key in the CSP that is a duplicate of the one that was exported. In this way, key blobs are used as the medium for securely transferring keys from one CSP to another.
Key blobs consist of a standard header, followed by data (a string of unintelligible bytes) that represents the key itself. If the key blob contains a session key, then this data is always kept encrypted. Applications do not access the internals of key blobs. It was this characteristic of being an inaccessible, unintelligible string of bytes that led to the name "key blob."
Key blobs are personalized in that they are encrypted with the key exchange public key of the intended recipient. This makes them fairly secure. To make them tamperproof, keys are sometimes signed with the key exchange private key of the originating user.
For details on the key blobs associated with particular providers, see the key blob sections of Microsoft Cryptographic Service Providers.
There are currently three types of key blobs defined: