Updates

Author: guardrex

aspnetcore/release-notes/aspnetcore-9/includes/delete_keys.md

@@ -2,4 +2,4 @@
 
 Prior to .NET 9, data protection keys were ___not___ deletable by design, to prevent data loss. Deleting a key renders its protected data irretrievable. Given their small size, the accumulation of these keys generally posed minimal impact. However, to accommodate extremely long-running services, we have introduced the option to delete keys. Generally, only old keys should be deleted. Only delete keys when you can accept the risk of data loss in exchange for storage savings. We recommend data protection keys should ___not___ be deleted.
 
-:::code language="csharp" source="~/security/data-protection/configuration/samples/9/deleteKeys/Program.cs" :::
+:::code language="csharp" source="~/security/data-protection/configuration/samples/9.x/deleteKeys/Program.cs" :::

aspnetcore/security/data-protection/configuration/default-settings.md

@@ -58,7 +58,7 @@ Deleting a key makes its protected data permanently inaccessible. To mitigate th
 
 We recommend not deleting data protection keys.
 
-:::code language="csharp" source="~/security/data-protection/configuration/samples/9/deleteKeys/Program.cs" :::
+:::code language="csharp" source="~/security/data-protection/configuration/samples/9.x/deleteKeys/Program.cs" :::
 
 ## Additional resources
 

aspnetcore/security/data-protection/configuration/overview.md

@@ -122,15 +122,37 @@ This property represents the table in which the keys are stored. Create the tabl
 
 ## Protect keys configuration API (`ProtectKeysWith\*`)
 
-You can configure the system to protect keys at rest by calling any of the [ProtectKeysWith\*](xref:Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions) configuration APIs. Consider the example below, which stores keys on a UNC share and encrypts those keys at rest with a specific X.509 certificate:
+You can configure the system to protect keys at rest by calling any of the [`ProtectKeysWith\*`](xref:Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions) configuration APIs. Consider the example below, which stores keys on a UNC share and encrypts those keys at rest with a specific X.509 certificate.
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-9.0"
+
+You can provide an <xref:System.Security.Cryptography.X509Certificates.X509Certificate2> to <xref:Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions.ProtectKeysWithCertificate%2A> from a file by calling <xref:System.Security.Cryptography.X509Certificates.X509CertificateLoader.LoadCertificateFromFile%2A?displayProperty=nameWithType>:
+
+:::code language="csharp" source="samples/6.x/DataProtectionConfigurationSample/Snippets/Program.cs" id="snippet_AddDataProtectionProtectKeysWithCertificateX509Certificate2":::
+
+The following code example demonstrates how to load a certificate using a thumbprint:
 
 :::code language="csharp" source="samples/6.x/DataProtectionConfigurationSample/Snippets/Program.cs" id="snippet_AddDataProtectionProtectKeysWithCertificate":::
 
+:::moniker-end
+
+:::moniker range=">= aspnetcore-6.0 < aspnetcore-9.0"
+
 You can provide an <xref:System.Security.Cryptography.X509Certificates.X509Certificate2> to <xref:Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions.ProtectKeysWithCertificate%2A>, such as a certificate loaded from a file:
 
 :::code language="csharp" source="samples/6.x/DataProtectionConfigurationSample/Snippets/Program.cs" id="snippet_AddDataProtectionProtectKeysWithCertificateX509Certificate2":::
 
-See [Key Encryption At Rest](xref:security/data-protection/implementation/key-encryption-at-rest) for more examples and discussion on the built-in key encryption mechanisms.
+The following code example demonstrates how to load a certificate using a thumbprint:
+
+:::code language="csharp" source="samples/6.x/DataProtectionConfigurationSample/Snippets/Program.cs" id="snippet_AddDataProtectionProtectKeysWithCertificate":::
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-6.0"
+
+For examples and discussion on the built-in key encryption mechanisms, see <xref:security/data-protection/implementation/key-encryption-at-rest>.
 
 ## Unprotect keys with any certificate (`UnprotectKeysWithAnyCertificate`)
 
@@ -186,7 +208,7 @@ For more information on how the discriminator is used, see the following section
 > app.MapGet("/", () => Assembly.GetEntryAssembly()!.GetName().Name);
 > 
 > app.Run();
->  ```
+> ```
 
 ## Disable automatic key generation (`DisableAutomaticKeyGeneration`)
 
@@ -418,7 +440,7 @@ public DbSet<DataProtectionKey> DataProtectionKeys { get; set; }
 
 This property represents the table in which the keys are stored. Create the table manually or with `DbContext` Migrations. For more information, see <xref:Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey>.
 
-## `ProtectKeysWith\*`
+## Protect keys configuration API (`ProtectKeysWith\*`)
 
 You can configure the system to protect keys at rest by calling any of the [`ProtectKeysWith\*`](xref:Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions) configuration APIs. Consider the example below, which stores keys on a UNC share and encrypts those keys at rest with a specific X.509 certificate:
 

aspnetcore/security/data-protection/configuration/samples/9.x/DataProtectionConfigurationSample/DataProtectionConfigurationSample.csproj

@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.5.0" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.6.0" />
+    <PackageReference Include="Azure.Identity" Version="1.14.0" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="9.0.5" />
+  </ItemGroup>
+
+</Project>

aspnetcore/security/data-protection/configuration/samples/9.x/DataProtectionConfigurationSample/Program.cs

@@ -0,0 +1,6 @@
+var builder = WebApplication.CreateBuilder(args);
+var app = builder.Build();
+
+app.MapGet("/", () => "Hello World!");
+
+app.Run();

aspnetcore/security/data-protection/configuration/samples/9.x/DataProtectionConfigurationSample/Snippets/Program.cs

@@ -0,0 +1,193 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Azure.Identity;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+
+namespace DataProtectionConfigurationSample.Snippets;
+
+public static class Program
+{
+    public static void AddDataProtectionProtectKeysWithAzureKeyVault(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionProtectKeysWithAzureKeyVault>
+        builder.Services.AddDataProtection()
+            .PersistKeysToAzureBlobStorage(new Uri("<blobUriWithSasToken>"))
+            .ProtectKeysWithAzureKeyVault(new Uri("<keyIdentifier>"),
+                new DefaultAzureCredential());
+        // </snippet_AddDataProtectionProtectKeysWithAzureKeyVault>
+    }
+
+    public static void AddDataProtectionProtectKeysWithAzureKeyVaultConnectionString(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionProtectKeysWithAzureKeyVaultConnectionString>
+        builder.Services.AddDataProtection()
+            // This blob must already exist before the application is run
+            .PersistKeysToAzureBlobStorage(
+                "<storageAccountConnectionString", "<containerName>", "<blobName>")
+            // Removing this line below for an initial run will ensure the file is
+            // created correctly
+            .ProtectKeysWithAzureKeyVault(new Uri("<keyIdentifier>"),
+                new DefaultAzureCredential());
+        // </snippet_AddDataProtectionProtectKeysWithAzureKeyVaultConnectionString>
+    }
+
+    public static void AddDataProtectionPersistKeysToFileSystem(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionPersistKeysToFileSystem>
+        builder.Services.AddDataProtection()
+            .PersistKeysToFileSystem(
+                new DirectoryInfo(@"\\server\share\directory\"));
+        // </snippet_AddDataProtectionPersistKeysToFileSystem>
+    }
+
+    public static void AddDataProtectionPersistKeysToDbContext(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionPersistKeysToDbContext>
+        builder.Services.AddDataProtection()
+            .PersistKeysToDbContext<SampleDbContext>();
+        // </snippet_AddDataProtectionPersistKeysToDbContext>
+    }
+
+    public static void AddDataProtectionProtectKeysWithCertificate(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionProtectKeysWithCertificate>
+        builder.Services.AddDataProtection()
+            .PersistKeysToFileSystem(
+                new DirectoryInfo(builder.Configuration["CertificatePath"] ?? 
+                throw new Exception("No path")))
+            .ProtectKeysWithCertificate(
+                builder.Configuration["CertificateThumbprint"] ?? 
+                throw new Exception("No thumbprint"));
+        // </snippet_AddDataProtectionProtectKeysWithCertificate>
+    }
+
+    public static void AddDataProtectionProtectKeysWithCertificateX509Certificate2(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionProtectKeysWithCertificateX509Certificate2>
+        builder.Services.AddDataProtection()
+            .PersistKeysToFileSystem(new DirectoryInfo(
+                builder.Configuration["CertificatePath"] ?? 
+                throw new Exception("No path")))
+            .ProtectKeysWithCertificate(
+                X509CertificateLoader.LoadCertificateFromFile(
+                builder.Configuration["CertificateFileName"] ?? 
+                throw new Exception("No file name")));
+        // </snippet_AddDataProtectionProtectKeysWithCertificateX509Certificate2>
+    }
+
+    public static void AddDataProtectionUnprotectKeysWithAnyCertificate(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionUnprotectKeysWithAnyCertificate>
+        builder.Services.AddDataProtection()
+            .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
+            .ProtectKeysWithCertificate(
+                X509CertificateLoader.LoadCertificateFromFile(
+                builder.Configuration["CertificateFileName"] ?? 
+                throw new Exception("No file name")))
+            .UnprotectKeysWithAnyCertificate(
+                X509CertificateLoader.LoadCertificateFromFile(
+                builder.Configuration["CertificateFileName1"] ?? 
+                throw new Exception("No file name 1")),
+                X509CertificateLoader.LoadCertificateFromFile(
+                builder.Configuration["CertificateFileName2"] ?? 
+                throw new Exception("No file name 2")));
+        // </snippet_AddDataProtectionUnprotectKeysWithAnyCertificate>
+    }
+
+    public static void AddDataProtectionSetDefaultKeyLifetime(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionSetDefaultKeyLifetime>
+        builder.Services.AddDataProtection()
+            .SetDefaultKeyLifetime(TimeSpan.FromDays(14));
+        // </snippet_AddDataProtectionSetDefaultKeyLifetime>
+    }
+
+    public static void AddDataProtectionSetApplicationName(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionSetApplicationName>
+        builder.Services.AddDataProtection()
+            .SetApplicationName("<sharedApplicationName>");
+        // </snippet_AddDataProtectionSetApplicationName>
+    }
+
+    public static void AddDataProtectionDisableAutomaticKeyGeneration(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionDisableAutomaticKeyGeneration>
+        builder.Services.AddDataProtection()
+            .DisableAutomaticKeyGeneration();
+        // </snippet_AddDataProtectionDisableAutomaticKeyGeneration>
+    }
+
+    public static void AddDataProtectionUseCryptographicAlgorithms(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionUseCryptographicAlgorithms>
+        builder.Services.AddDataProtection()
+            .UseCryptographicAlgorithms(new AuthenticatedEncryptorConfiguration
+            {
+                EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
+                ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
+            });
+        // </snippet_AddDataProtectionUseCryptographicAlgorithms>
+    }
+
+    public static void AddDataProtectionUseCustomCryptographicAlgorithms(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionUseCustomCryptographicAlgorithms>
+        builder.Services.AddDataProtection()
+            .UseCustomCryptographicAlgorithms(
+                new ManagedAuthenticatedEncryptorConfiguration
+                {
+                    // A type that subclasses SymmetricAlgorithm
+                    EncryptionAlgorithmType = typeof(Aes),
+
+                    // Specified in bits
+                    EncryptionAlgorithmKeySize = 256,
+
+                    // A type that subclasses KeyedHashAlgorithm
+                    ValidationAlgorithmType = typeof(HMACSHA256)
+                });
+        // </snippet_AddDataProtectionUseCustomCryptographicAlgorithms>
+    }
+
+#pragma warning disable CA1416 // Validate platform compatibility
+    public static void AddDataProtectionUseCustomCryptographicAlgorithmsCngCbc(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionUseCustomCryptographicAlgorithmsCngCbc>
+        builder.Services.AddDataProtection()
+            .UseCustomCryptographicAlgorithms(
+                new CngCbcAuthenticatedEncryptorConfiguration
+                {
+                    // Passed to BCryptOpenAlgorithmProvider
+                    EncryptionAlgorithm = "AES",
+                    EncryptionAlgorithmProvider = null,
+
+                    // Specified in bits
+                    EncryptionAlgorithmKeySize = 256,
+
+                    // Passed to BCryptOpenAlgorithmProvider
+                    HashAlgorithm = "SHA256",
+                    HashAlgorithmProvider = null
+                });
+        // </snippet_AddDataProtectionUseCustomCryptographicAlgorithmsCngCbc>
+    }
+
+    public static void AddDataProtectionUseCustomCryptographicAlgorithmsCngGcm(WebApplicationBuilder builder)
+    {
+        // <snippet_AddDataProtectionUseCustomCryptographicAlgorithmsCngGcm>
+        builder.Services.AddDataProtection()
+            .UseCustomCryptographicAlgorithms(
+                new CngGcmAuthenticatedEncryptorConfiguration
+                {
+                    // Passed to BCryptOpenAlgorithmProvider
+                    EncryptionAlgorithm = "AES",
+                    EncryptionAlgorithmProvider = null,
+
+                    // Specified in bits
+                    EncryptionAlgorithmKeySize = 256
+                });
+        // </snippet_AddDataProtectionUseCustomCryptographicAlgorithmsCngGcm>
+    }
+#pragma warning restore CA1416 // Validate platform compatibility
+}

aspnetcore/security/data-protection/configuration/samples/9.x/DataProtectionConfigurationSample/Snippets/SampleDbContext.cs

@@ -0,0 +1,14 @@
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore;
+
+namespace DataProtectionConfigurationSample.Snippets;
+
+public class SampleDbContext : DbContext, IDataProtectionKeyContext
+{
+    public SampleDbContext(DbContextOptions<SampleDbContext> dbContextOptions)
+        : base(dbContextOptions) { }
+
+    // <snippet_DataProtectionKeys>
+    public DbSet<DataProtectionKey> DataProtectionKeys { get; set; } = null!;
+    // </snippet_DataProtectionKeys>
+}

aspnetcore/security/data-protection/configuration/samples/9.x/DataProtectionConfigurationSample/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

aspnetcore/security/data-protection/configuration/samples/9.x/DataProtectionConfigurationSample/appsettings.json

@@ -0,0 +1,10 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning",
+      "Microsoft.AspNetCore.DataProtection": "Information"
+    }
+  },
+  "AllowedHosts": "*"
+}