ASP.Net Core Data Protection API in a Clustered Environment

Question

I\'m having difficulty understanding the Data Protection API.

I\'m wanting to set up some net core web applications in a clustered environment (service fabric). Prev

Answer 1

You have to supply an implementation of IXmlRepository which provides the data protection API with a place to store the keys. The ProtectKeysWith*() directives protect the keys at rest (in basic terms, encrypts the keys before saving them!). Additional info here.

I ended up persisting my keys to AzureStorage. More info here.

serviceCollection.AddDataProtection()
    .ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{thumbPrint}", flags: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None)
    .PersistKeysToAzureBlobStorage(/* params */);

It is also worth noting that the certificate used to protect the keys must be stored in a certificate store and the account which the application is running under must have read access. See here.