We use keys persisted to file system, and we distribute the key files along with our code deployments. The keys are protected with a certificate configured on the server. Since we are on a load balancer, we don't want the servers generating their own keys. Also, we don't want the key directory to be writable by the web server application.
PersistKeysToFileSystem only generates the key file if the existing one will expire in the next day or so. I don't want to wait for the files to expire on the server, given the stakes of not having a key file available to the application. I want to distribute the files ahead of time, with a code deployment.
Ideally I'd like to create a new key file with an activation date in the future, something like:
configuration.SetApplicationName($"{purpose1}")
.SetDefaultKeyLifetime(TimeSpan.FromDays(daysToExpire))
.SetActivationDate(TimeSpan.FromDays(someOtherSpan))
.PersistKeysToFileSystem(directory)
.ProtectKeysWithCertificate(cert);
But there is no SetActivationDate method exposed for the DP API.
I can see that SetDefaultKeyLifetime sets the local instance of DPP to the later expiration date. But the expiration date of the key file doesn't change, nor does it generate a new key file.
How are other people solving this problem of expiring key files? It seems like such a basic thing, I must have some wrong-headed idea about how these are supposed to work. Surely people aren't just waiting for their keys to expire, and then remembering to do something the day before.
We use keys persisted to file system, and we distribute the key files along with our code deployments. The keys are protected with a certificate configured on the server. Since we are on a load balancer, we don't want the servers generating their own keys. Also, we don't want the key directory to be writable by the web server application.
PersistKeysToFileSystem only generates the key file if the existing one will expire in the next day or so. I don't want to wait for the files to expire on the server, given the stakes of not having a key file available to the application. I want to distribute the files ahead of time, with a code deployment.
Ideally I'd like to create a new key file with an activation date in the future, something like:
configuration.SetApplicationName($"{purpose1}")
.SetDefaultKeyLifetime(TimeSpan.FromDays(daysToExpire))
.SetActivationDate(TimeSpan.FromDays(someOtherSpan))
.PersistKeysToFileSystem(directory)
.ProtectKeysWithCertificate(cert);
But there is no SetActivationDate method exposed for the DP API.
I can see that SetDefaultKeyLifetime sets the local instance of DPP to the later expiration date. But the expiration date of the key file doesn't change, nor does it generate a new key file.
How are other people solving this problem of expiring key files? It seems like such a basic thing, I must have some wrong-headed idea about how these are supposed to work. Surely people aren't just waiting for their keys to expire, and then remembering to do something the day before.
Share Improve this question edited Nov 20, 2024 at 19:05 marc_s 756k184 gold badges1.4k silver badges1.5k bronze badges asked Nov 20, 2024 at 17:29 Aaron NewmanAaron Newman 114 bronze badges 3- it's a keyring... see here: learn.microsoft/en-us/aspnet/core/security/data-protection/… Expired keys won't be used for new encryptions. Each machine will have it's own "ring" and will be generating new keys so not sure you can do what you are trying to do. If they are protected with DPAPI they are not portable anyway... (DPAPI is a good idea here to keep your secrets secret) Have you considered using "sticky sessions"? – browsermator Commented Nov 20, 2024 at 19:55
- I believe Azure hosted apps store keys in a central place where all servers can use same. See here: learn.microsoft/en-us/aspnet/core/security/data-protection/… – browsermator Commented Nov 20, 2024 at 20:00
- @browsermator that is not how data protection works on a web farm/load balancer. Each web server needs to use the same key file, or a web server can't use a value encrypted by a different server on the same load balancer (e.g. for session cookies). Edit: from your second comment, I could store them in a central place, but that doesn't help with replacing expired key files. I don't want the web servers to do that. – Aaron Newman Commented Nov 20, 2024 at 20:07
1 Answer
Reset to default 0I see now, it is possible with the KeyManager. I discounted this because the docs say it is 'advanced', but I guess they just mean creating your own key manager is complex. There are 2 options - you can create a new one that activates in the future, or revoke the existing certificate and create one that activates now. Going with the latter option, this is what I came up with.
Edit: I see now that's now how revocation works. If you revoke the original key, you can't read anything that's previously been encrypted.
https://learn.microsoft/en-us/aspnet/core/security/data-protection/extensibility/key-management?view=aspnetcore-8.0
var serviceCollection = new ServiceCollection();
// If there is no valid key file or the key file is expired,
// this will create it.
serviceCollection.AddDataProtection().SetApplicationName($"{purpose1}").
SetDefaultKeyLifetime(TimeSpan.FromDays(daysToExpire)).
PersistKeysToFileSystem(directory).
ProtectKeysWithCertificate(cert);
var services = serviceCollection.BuildServiceProvider();
provider = services.GetDataProtectionProvider();
// if there is a non-expired file already, this will revoke it
// and create a new one with a later expiration date
var keyManager = services.GetService<IKeyManager>();
// Nope...keyManager.RevokeAllKeys
keyManager.CreateNewKey(
activationDate: DateTimeOffset.Now,
expirationDate: DateTimeOffset.Now.AddDays(daysToExpire));
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1742341031a4425631.html
评论列表(0条)