Menu
We have an ASP.NET core 2.2 web application exposing some web api controllers. Our application does not have any kind of authentication mechanism, all the exposed endpoints can be called by an anonymous user.
When we host the application under IIS we get three strange warning messages at the application startup. These are the logs we get:
All these logs have Microsoft.AspNetCore.DataProtection as the log context and are written by the ASP.NET core framework internals.
The meaning of these logs seems quite clear to me: there is a "key" (whatever it means) that will be persisted in-memory because no registry storage has been provided (and, of course, it will be lost when the application exits). There is also a warning indicating that this key, if persisted, won't be encrypted in any way.
At this point I would ask the following questions:
SOME ADDITIONAL INFORMATION:
Some blogs online suggest that these kind of data protection warnings are related to the usage of ASP.NET identity, but we don't use identity in our app (we have no authentication enabled). Other blogs suggests to setup the hosting application pool in order to load the user profile: I already tried that, but the warnings are still there.
I solved the issue thanks to the help of the asp.net core dev team. For a complete reference see the github issue I opened yesterday
Put it briefly the issue is related to the IIS configuration on my development machine. In order for the ASP.NET core data protection to work as expected there are some specific configuration for IIS and the hosting application pool (see here for a complete reference)
For the ones having the same warnings inside their ASP.NET core 2.2 web applications I suggest to take a look at this github issue.
We now have added cookie authentication to our product and we need to support the kubernetes hosting. In kubernetes with the cookie authentication the warnings discussed in this stackoverflow question are relevant, because you have to provide ASP.NET core with a place where storing the keys needed by the ASP.NET core data protection system.
We opted to implement a persistent key ring in MongoDB. Some details can be found here. I can't show the code here (the project is not open source), but we have basically started from the official entity framework core key ring store and substituted all the usages of entity framework db context with an injected IMongoCollection<DataProtectionKey>. We have also modified the DataProtectionKey class by removing the Id property (we prefer letting MongoDB generating its own object ids).
260
The ASP.NET Core data protection provides a cryptographic API to protect data, including key management and rotation. Web applications often need to store security-sensitive data. Windows provides a data protection API, DPAPI, but Windows DPAPI isn't intended for use in web applications.
To handle exceptions and display user friendly messages, we need to install Microsoft. AspNetCore. Diagnostics NuGet package and add middleware in the Configure() method. If you are using Visual Studio templates to create ASP.NET Core application then this package might be already installed.
The data-protection system uses symmetric-key encryption to protect data. A key containing random data is used to encrypt the data, and the same key is used to decrypt the data.
Data Protection is used by various components to encrypt data at runtime, for example:
You can read more about it in the docs: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/introduction
You understood the warnings correctly, it has created a key but couldn't decide where to store the key. So it'll be lost if the app restarts. If you don't use e.g. authentication cookies, you may be able to ignore these warnings. You can also configure a storage location, outside your app's folder.
149
If you're not using any authentication mechanism (ex: ASP.NET Core Identity which is using this type of keys) and if you're not using DataProtection API somewhere else you're good to go (for now).
What happens there?
You entered a fallback mechanism for storing keys (in memory storage). You will lose your keys when your app will get restarted.
What problems you can face?
Example: If you're using authentication mechanisms, you will end up with screwed authentication cookies, email validation tokens, reset password tokens, etc
What you can do right now?
If you want (future-proof solution) you can store the keys somewhere (ex: Redis).
Further reading: https://cypressnorth.com/programming/solved-using-memory-repository-keys-will-not-persisted-storage-asp-net-core-iis/
25
ASP.Net core DataProtection stores keys in the HOME directory (/root/.aspnet/DataProtection-Keys) so when container restart keys are lost and this might crash the service.
This can be resolve by persisting key at
More details about ASP.NET DataProtection:
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-3.1
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-3.1
To mount an external volume (C:/temp-kyes) to docker container volume (/root/.aspnet/DataProtection-Keys) using following command
docker run -d -v /c/temp-keys:/root/.aspnet/DataProtection-Keys container-name
Also, You need to update your Starup.cs - ConfigureServices to configure DataProtection policy
services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(@"C:\temp-keys\"))
.UseCryptographicAlgorithms(new AuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
