2

I am trying to setup Data Protection in my Azure web apps, so when I swap between staging and production, it doesn't log everyone out. I am stuck on encrypting the keys with a self-signed certificate in Azure.

My question is very much related to: ASP.Net Core Data Protection API in a Clustered Environment However, the answer on this does not work for me as I had already gotten this far.

My code works perfectly fine when I run it locally with a certificate installed to my machince, but when I deploy to my Azure web app, it wont start and just throws a generic error:

Unhandled Exception: System.Security.Cryptography.CryptographicException: Exception of type 'System.Security.Cryptography.CryptographicException' was thrown.

To setup my data protection, I am using the following code in ConfigureServices:

// Add data protection
var storageAccount = CloudStorageAccount.Parse(Configuration["BlobStorage:ConnectionString"]);
var client = storageAccount.CreateCloudBlobClient();
var container = client.GetContainerReference(Configuration["DataProtection:ContainerName"]);
container.CreateIfNotExistsAsync().Wait();

services.AddDataProtection()
    .SetApplicationName(Configuration["DataProtection:ApplicationName"])
    .PersistKeysToAzureBlobStorage(container, Configuration["DataProtection:BlobName"]);
    .ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{Configuration["Authentication:SingingCertThumbprint"]}",
        DpapiNGProtectionDescriptorFlags.None);

The certificate I am using is self-signed and I have uploaded it to Azure through the SSL certificates section on the web app (however, as suggested on other posts, I have also tried a trusted certificate - no luck).

I am using the WEBSITE_LOAD_CERTIFICATES app setting in my Azure web app, so this is not the problem either.

Also worth noting, if I remove

.ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{Configuration["Authentication:SingingCertThumbprint"]}",
    DpapiNGProtectionDescriptorFlags.None);

Then the web app will start and run fine. But now my keys are obviously being stored unencrypted.

Any help would be much appreciated, thanks.

MitchellNZ
  • 75
  • 5

1 Answers1

1

I also encountered the same issue. I tried changing the platform to 64bit and scaling up my app plan, but none of these worked. ProtectKeysWithDpapiNG might not be support by Azure Web App. I suggest you use ProtectKeysWithDpapi instead. The key will be encrypted by Windows DPAPI.

Amor
  • 8,325
  • 2
  • 19
  • 21
  • Thanks for the response. Makes me slightly more happy to hear I'm not the only one with this problem then.. I tried ProtectKeysWithDpapi and can confirm that works. However, I am requiring multiple servers to be looking at this data.. So that doesn't really work as a solution for me (hence why I wanted to use the certificate). – MitchellNZ Aug 06 '17 at 20:54
  • I suggest you post this issue on Azure feedback site. https://feedback.azure.com – Amor Aug 17 '17 at 05:58
  • even `ProtectKeysWithDpapi` doesn't seem to work for me. It still has encryption error – liang Jan 21 '20 at 11:56