Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AspNetCore.DataProtection `ProtectKeysWithCertificate` rotation mechanism

See original GitHub issue

Is there an existing issue for this?

I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Protecting keys at rest is a good practice and is often done via the ProtectKeysWith... methods like ProtectKeysWithCertificate. However, protecting the keys with for example ProtectKeysWithCertificate and an X509Certificate2 keeps the problem of rotating the certificate used for protecting the keys at rest. Is there a good pattern or some documentation on this topic on how to proceed with rotation certificates used for key protection at rest without restarting the application?

Describe the solution you’d like

Some docs or a API to configure propper certificate rotation for the protection of key in rest.

Additional context

No response

Issue Analytics

State:
Created 2 years ago
Reactions:3
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

jeremy-morrencommented, Nov 22, 2022

I would like to state that the current API works, however there is practically no documentation or examples available online. Having literally any documentation (beyond the fact that the methods exist) would be nice. As mentioned, there is no way to change the certificates once the application has started. If you have long-running processes, this is a problem.

Another problem (not with .NET itself, all crypto has this problem) is that the private keys have to be stored somewhere. The whole keyring must itself be encrypted, this is still the developers problem.

The current workflow is as follows (as far as I can make out) - it would be nice if this was officially documented somewhere:

At any time, there is 1 certificate that is used for encryption and decryption, and 0 or more used for decryption only. These function as ‘superkeys’: i.e. encryption keys used to encrypt the encryption keys.
To generate a new encryption key:
- The key is generated
- The key is encrypted using the current encryption certificate. This is done by the CertificateXmlEncryptor class.
- The public portion of the certificate is stored in the key.
- The key is persisted to the configured IXmlRepository (Redis, File etc).
When a key is loaded and needs to be decrypted
- The thumbprint of the encryption certificate is loaded from the previously stored public portion.
- The thumbprint is looked up in the internal XmlKeyDecryptionOptions class. If the certificate is not found, an error occurs (i.e. no payloads encrypted with this key can be decrypted).
- The key is decrypted using the private key of the loaded certificate.

As already mentioned, this process is not officially documented anywhere I can find. I am also not 100% sure if that is a correct explanation either, due to the lack of documentation.

0reactions

msftbot[bot]commented, Sep 9, 2022

Thanks for contacting us.

We’re moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it’s very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.