问题
Folks, I need to encrypt some string data into a SQL database from and MVC Core 2.0 application. I'm thinking of using the Data Protection API with PersistKeysToFileSystem so that I can restore the data to another server and decrypt the data using the same key file. I am impressed with the performance of the DPAPI in Net core and I don't want to fo for any custom crypto solution as its too risky. I would be storing bulk uploads of data to SQL. Strings before encryption would be 200 chars or less.
I believe that DPAPI is considered more suited to encrypting small pieces of data e.g. passwords as opposed sql bulk operations. Do folks consider using DPAPI to encrypt data into a database a good use case?
回答1:
The Data Protection API is not necessarily only for small pieces of data, but it is meant for relatively transient data. In other words, it's not really intended to be used to encrypt/decrypt long-term. The keys will be cycled at some point, and while old keys are kept around to allow for transition to new keys, you should not really rely on that.
According to the docs:
The ASP.NET Core data protection APIs are not primarily intended for indefinite persistence of confidential payloads. Other technologies like Windows CNG DPAPI and Azure Rights Management are more suited to the scenario of indefinite storage, and they have correspondingly strong key management capabilities.
It does go on to say that you can do so if you desire, though. However, things have to be handled in a different way if you might potentially be working with revoked keys. The documentation link above goes into all the detail on that. However, bear in mind that you're inherently operating on your data in a less secure way, since you're explicitly allowing revoked keys to be used to decrypt data.
来源:https://stackoverflow.com/questions/52057454/storing-sensitive-data-that-is-encrypted-using-data-protection-api-with-persistk