Share DPAPI keys between servers?

Question

I have a ASP.NET WebForms application running on .NET 4.5.1 and have been using cookie based authentication with the FormsAuthentication API (not using the Identity API, however; instead I manage users and session "manually"). This application runs on multiple servers and, in order to make cookies work on all servers, I have set the machine key to the same value for all server in the web.config-file.

In order to make it possible to share authentication cookies with an MVC application running on .NET Core 1.0 I am however moving from the FormsAuthentication API to Katana/OWIN based cookie authentication. While I have got the authentication and sharing of cookies working on a single machine by following the steps at https://github.com/blowdart/idunno.CookieSharing I am not sure how to share keys between servers. All examples setup cookie based authentication by pointing to a path containing the key files. If I were able to generate keys manually and copy these to all servers this would work. I don't know how to generate these key files, however (and the docs doesn't seem to mention how to do this). Putting key files in a shared folder, as some examples suggest, is not possible as the servers are on completely separate networks (this may change in the future but not right now).

Is there a way to share the keys between multiple server with my setup (i.e no possibility of shared folders)?

Answer 1

David, for now you it appears you are correct it is hard to step out of the box. Plan of record for 1.1 is easy access to KeyVault and AzureStorage. For now, I think you may have to implement parts of KeyManager (most likely IXMLRepository) see: docs.asp.net/en/latest/security/data-protection/extensibilit‌​y/… I am interested why machines on separate domains need to share keys