AspNetCore.Docs
AspNetCore.Docs copied to clipboard
dotnet
Is any ProtectKeysWith* supported in Linux containers on-premise?
I am trying to set up ASP.NET Core apps in Linux containers in an on-premises setup, so it does not print this warning: No XML encryptor configured. Key {...} may be persisted to storage in unencrypted form.
Of the built-in options, ProtectKeysWithAzureKeyVault is not applicable for us since we don't have access to Azure, and ProtectKeysWithDpapi and ProtectKeysWithDpapiNG are not applicable because we run in Linux containers. ProtectKeysWithCertificate takes either a certificate or thumbprint as input, but the documentation has no guidelines about what types of certificate are appropriate.
Can you add an example of how to create and use a certificate that is appropriate to use with Data Protection?
Is there a dotnet CLI command to generate such a certificate?
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 0c24ccb9-b297-f942-ebf1-c994d672f183
- Version Independent ID: 5d6eb72e-b1b5-1507-6162-16a9a4a01aa0
- Content: Key encryption at rest in Windows and Azure using ASP.NET Core
- Content Source: aspnetcore/security/data-protection/implementation/key-encryption-at-rest.md
- Product: aspnet-core
- Technology: aspnetcore-security
- GitHub Login: @Rick-Anderson
- Microsoft Alias: riande
Just had to do this myself. You can use ProtectKeysWithCertificate with a self-signed certificate created via openssl or dotnet dev-certs (or any other tool that can create an X.509 certificate). Make sure it is in the .pfx format, and on Linux it is easiest to just directly instantiate the X509Certificate2 with the path to the .pfx file and the password, then pass that certificate into ProtectKeysWithCertificate.
var redis = ConnectionMultiplexer.Connect(Configuration["Redis"]);
var cert = new X509Certificate2(Configuration["CertificatePath"], Configuration["CertificatePassword"]);
services.AddDataProtection()
.SetApplicationName("MyApplication")
.ProtectKeysWithCertificate(cert)
.PersistKeysToStackExchangeRedis(redis, "DataProtection-Keys");
But yes I agree the docs could be improved here.
