ASP.NET Core DPAPI PersistKeyToFileSystem encrypting the key

Question

I am using ASP.NET Core DPAPI. The key in use is currently unprotected. I see in the docs an example that shows the key encrypted, but I can't figure out what is the api setting for that.

I am using the following:

services
.AddDataProtection()
.SetApplicationName("MyApp")
.SetDefaultKeyLifetime(TimeSpan.FromDays(3))
.PersistKeysToFileSystem(new DirectoryInfo("C:\MyDir"));

Below is an excerpt of the generated xml file:

    <descriptor>
      <encryption algorithm="AES_256_CBC" />
      <validation algorithm="HMACSHA256" />
      <masterKey p4:requiresEncryption="true" xmlns:p4="http://schemas.asp.net/2015/03/dataProtection">
        <!-- Warning: the key below is in an unencrypted form. -->
        <value>123345689...0987654321</value>
      </masterKey>
    </descriptor>
  </descriptor>

I want the disk persisted key to be encrypted as well. How do I achieve this ?

This doc shows an example with an encrypted key. What are the api method calls required to generate the xml key file with an encrypted key?

Answer 1

There are currently three methods available to encrypt the key before it's persisted to storage.

• ProtectKeysWithCertificate
• ProtectKeysWithDpapi (make sure to use the same windows user to unprotect the key)
• ProtectKeysWithDpapiNG

Your example could for instance be extended with ProtectKeysWithDpapi() like this:

services
.AddDataProtection()
...
.PersistKeysToFileSystem(new DirectoryInfo(@"C:\MyDir"))
.ProtectKeysWithDpapi();