I am using ASP.NET Core DPAPI. The key in use is currently unprotected. I see in the docs an example that shows the key encrypted, but I can't figure out what is the api setting for that.
I am using the following:
services
.AddDataProtection()
.SetApplicationName("MyApp")
.SetDefaultKeyLifetime(TimeSpan.FromDays(3))
.PersistKeysToFileSystem(new DirectoryInfo("C:\MyDir"));
Below is an excerpt of the generated xml file:
<descriptor>
<encryption algorithm="AES_256_CBC" />
<validation algorithm="HMACSHA256" />
<masterKey p4:requiresEncryption="true" xmlns:p4="http://schemas.asp.net/2015/03/dataProtection">
<!-- Warning: the key below is in an unencrypted form. -->
<value>123345689...0987654321</value>
</masterKey>
</descriptor>
</descriptor>
I want the disk persisted key to be encrypted as well. How do I achieve this ?
This doc shows an example with an encrypted key. What are the api method calls required to generate the xml key file with an encrypted key?
There are currently three methods available to encrypt the key before it's persisted to storage.
Your example could for instance be extended with
ProtectKeysWithDpapi()
like this: