0

I am not able to generate the DataProtectionKeyRing when I am storing it in the Azure Blob Storage and protecting it using Key vault key. Using UseCookieAuthentication middleare for authentication. Only storing it on Azure Blob Storage works but protecting it using key vault not generating the key in blob storage. My application is in .Net 4.8. I am using the Azure.Extensions.AspNetCore.DataProtection.Keys nuget package.

I tried all the overloads of the ProtectKeysWithAzureKeyVault but non of them creating the key on blob storage.

Rahul Shinde
  • 153
  • 1
  • 4

1 Answers1

0

Here you are trying to use the Azure Key Vault to protect the keys for your ASP.NET application's data protection, and you are getting issues with generating the DataProtectionKeyRing and storing it in Azure Blob Storage.

Follow the below steps to resolve the issue.

Check whether you have the necessary permissions to access Azure Key Vault and Blob Storage.

You should have the Contributor or Owner role assigned to your account or service principal.

Ensure that you have configured the correct settings for your application to access Azure Key Vault and Blob Storage.

This can be done in the appsettings.json file or through environment variables.

Check the version compatibility of the Azure.Extensions.AspNetCore.DataProtection.Keys nuget package with .NET Framework 4.8. You may need to update to a newer version or use a different package that supports your framework.

Verify that the Key Vault URL and Key Name are correct in the code where you are using ProtectKeysWithAzureKeyVault.

You can try to use the Azure Key Vault SDK directly instead of using the Azure.Extensions.AspNetCore.DataProtection.Keys nuget package to see if it resolves the issue. Here is an example to use the SDK to store keys in Blob Storage.

The below namespaces are used.

using Microsoft.AspNetCore.DataProtection;
using Microsoft.AspNetCore.DataProtection.KeyManagement;
using Microsoft.Extensions.DependencyInjection;

Here is the Csporj

enter image description here

Followed this MSDoc.


var serviceCollection = new ServiceCollection();
serviceCollection.AddDataProtection()
                .PersistKeysToFileSystem(new DirectoryInfo(@"c:\temp-keys"))
                .ProtectKeysWithDpapi();
var services = serviceCollection.BuildServiceProvider();
services.GetDataProtector("Sample.KeyManager.v1").Protect("payload");
Console.WriteLine("Performed a protect operation.");
Thread.Sleep(2000);
var keyManager = services.GetService<IKeyManager>();
var allKeys = keyManager.GetAllKeys();
Console.WriteLine($"The key ring contains {allKeys.Count} key(s).");
foreach (var key in allKeys)
     {
      Console.WriteLine($"Key {key.KeyId:B}: Created = {key.CreationDate:u}, IsRevoked = {key.IsRevoked}");
     }
keyManager.RevokeAllKeys(DateTimeOffset.Now, reason: "Revocation reason here.");
Console.WriteLine("Revoked all existing keys.");
keyManager.CreateNewKey(
                activationDate: DateTimeOffset.Now,
                expirationDate: DateTimeOffset.Now.AddMonths(1));
Console.WriteLine("Added a new key.");

allKeys = keyManager.GetAllKeys();
Console.WriteLine($"The key ring contains {allKeys.Count} key(s).");
foreach (var key in allKeys)
   {
      Console.WriteLine($"Key {key.KeyId:B}: Created = {key.CreationDate:u}, IsRevoked = {key.IsRevoked}");
   }
Rajesh Mopati
  • 1,329
  • 1
  • 2
  • 7