Clever Geek Handbook

ASP.Net Master Data Protection API in a clustered environment

I am having a hard time understanding the data protection API.

I want to set up some networking networking applications in a clustered environment (service cloth). Previously, whatever you would do, just make sure each machine has the same key in its web.config. Just. With the new data protection API, it seems a little (lottle!) Bit more involved.

From the documentation here, it sounds like it should be as simple as configuring the data protection service with the appropriate certificate.

However, I tried this:

    public static void Main(string[] args)
    {
        // add data protection services
        var serviceCollection = new ServiceCollection();
        string thumbPrint = "XXXXXXXXXXXX";
        serviceCollection.AddDataProtection()
            .ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{thumbPrint}", flags: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None);
        var services = serviceCollection.BuildServiceProvider();

        // create an instance of MyClass using the service provider
        var instance = ActivatorUtilities.CreateInstance<MyClass>(services);
        instance.RunSample();
    }

    public class MyClass
    {
        IDataProtector _protector;

        // the 'provider' parameter is provided by DI
        public MyClass(IDataProtectionProvider provider)
        {
            _protector = provider.CreateProtector("Contoso.MyClass.v1");
        }

        public void RunSample()
        {
            Console.Write("Enter input: ");
            string input = Console.ReadLine();

            // protect the payload
            string protectedPayload = _protector.Protect(input);
            Console.WriteLine($"Protect returned: {protectedPayload}");

            // unprotect the payload
            string unprotectedPayload = _protector.Unprotect(protectedPayload);
            Console.WriteLine($"Unprotect returned: {unprotectedPayload}");

            Console.ReadLine();
        }
    }

And I just get an exception

System.InvalidOperationException occurred
  HResult=0x80131509
  Message=No service for type 'Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository' has been registered.

Which after some digging it turns out that this is because there is no stored store for the keys.

What's on offer here? Should I keep my keys in some central location (i.e. a share available to all my apps). If so, what is the reason?

+2


source to share


1 answer


You must provide an implementation IXmlRepository

that provides the Data Protection API with a key storage location. Directives ProtectKeysWith*()

protect keys at rest (basically encrypt keys before storing them!). More information here .

I ended up leaving my keys to AzureStorage. More details here .



serviceCollection.AddDataProtection()
    .ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{thumbPrint}", flags: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None)
    .PersistKeysToAzureBlobStorage(/* params */);

It is also worth noting that the certificate used to protect the keys must be stored in the certificate store, and the account in which the application is running must have read access. See here .

0


source






More articles:


All Articles