dotnet
Storing encryption keys in BLOB and securing them with Azure Key Vault
Description
I recently run into issues when I used BLOB storage to store encryption key(s). Link to that issue is DataProtectionProvider persist keys to BLOB does not use keys from BLOB. I was lucky enough that issue resolution was simple enough and I think official documents, should include important things from things discussed in that issue. Please let me know if you need anything else from me.
Here is the text that should be added to documentation page:
[!NOTE] This article was written for an app that runs within a docker container, where it will always have the same path and, therefore, the same application discriminator. If you need to run an app in multiple environments (e.g. local and deployed), set the default application discriminator for the environment. You can find more details on application discriminator at SetApplicationName When BLOB is used to store encryption key then Azure Key Vault MUST be used to protect it, thus two calls, PersistKeysToAzureBlobStorage and ProtectKeysWithAzureKeyVault cannot be separated.
Page URL
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-8.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/data-protection/configuration/overview.md
Document ID
69818122-e47a-3fed-ea37-8009f66e2a5c
Article author
@Rick-Anderson
Notably, this page also doesn't mention ApplicationName: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/scaling-aspnet-apps/scaling-aspnet-apps?view=aspnetcore-8.0&tabs=login-azure-cli
I think the assumption in that tutorial is that the app will always be run within a docker container, where it will always have the same path and, therefore, the same application discriminator.
The default application discriminator is the content root path: https://github.com/dotnet/aspnetcore/blob/1c8f20be1fc4e97044d7ca93edae3af528bc3521/src/DataProtection/DataProtection/src/Internal/HostingApplicationDiscriminator.cs#L34
I'm not sure we specifically want to document that, though it would be quite hard to change at this point. Personally, I think I'd emphasize that you should set it if you need to run your app in multiple environments (e.g. local and deployed).
If you don't configure data protection at all, this shouldn't matter, since keys won't be shared regardless.
@mjoksa any chance you could provide a PR using @amcasey suggestions? Something like
> [!NOTE]
> This article was written for an app that runs within a docker container, where it will always have the same path and, therefore, the same application discriminator. If you need to run an app in multiple environments (e.g. local and deployed), set the default application discriminator for the environment.
> Running an app in multiple environments is beyond the scope of this article.
@amcasey please suggest better wording.
@mjoksa any chance you could provide a PR using @amcasey suggestions? Something like
> [!NOTE] > This article was written for an app that runs within a docker container, where it will always have the same path and, therefore, the same application discriminator. If you need to run an app in multiple environments (e.g. local and deployed), set the default application discriminator for the environment. > Running an app in multiple environments is beyond the scope of this article. @amcasey please suggest better wording.
The phrasing seems fine to me (other than a stray double space after "discriminator"), but I'd probably add a link to https://learn.microsoft.com/aspnet/core/security/data-protection/configuration/overview#setapplicationname.
@Rick-Anderson , @amcasey - I was not exactly sure what you guys want me to do and how to do it, so I updated original (first) post in this thread with a note that should be in official docs.