Moving DataProtection keys

1
votes

Have an app running on Azure App Service with DataProtection enabled. The keys are stored in %HOME%\ASP.NET\DataProtection-Keys (https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/default-settings?view=aspnetcore-2.1). Is it possible to move these existing keys to Azure blob storage?

1
asp.net-core-mvcazure-web-app-serviceazure-app-service-envrmnt
I would actually recommend using a key vault instead. since it is meant for this. Unless you have any reason to use blobs.Neville Nazerane
have you looked into this? docs.microsoft.com/en-us/aspnet/core/security/data-protection/…Neville Nazerane
Yes key vault storage is maybe better but how do I get the existing keys there? I want to keep the users logged in so I need to move the existing keys.Guido Neele
Just curious @NevilleNazerane you mention using a key vault instead which is exactly what I want to do however I don't see a corresponding .PersistKeysToAzureKeyVault() which is what I would expect to be available given the way the other persistence providers are setup. I see ProtectKeysWithAzureKeyVault() but that seems to be a mechanism just to encrypt the keys with a key from keyvault. I want to actually store my keys in keyvault can you elaborate on how to make that happen?xinunix
I have implemented a solution to host your key-ring in Azure Key Vault, see this link for details github.com/edumentab/AzureKeyVaultKeyRingRepositoryTore Nestenius

1 Answers

0
votes

The keys are accessible via the Advanced Tools (Kudu) of the app service. When Kudu is launched in a separate tab go to Debug Console and navigate to ASP.NET\DataProtection-Keys. Here you can download the keys and move them to a storage container.