delete keys for wn (#33324)

Rick-Anderson · amcasey · web-flow · commit 7cd8277ab51a · 2024-08-12T08:33:15.000-10:00
* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* delete keys for wn

* Update aspnetcore/release-notes/aspnetcore-9/includes/delete_keys.md

Co-authored-by: Andrew Casey &lt;amcasey@users.noreply.github.com&gt;

* delete keys for wn

* delete keys for wn

* delete keys for wn

---------

Co-authored-by: Andrew Casey &lt;amcasey@users.noreply.github.com&gt;
diff --git a/aspnetcore/release-notes/aspnetcore-9/includes/delete_keys.md b/aspnetcore/release-notes/aspnetcore-9/includes/delete_keys.md
@@ -0,0 +1,9 @@
+<!--
+[!INCLUDE[](~/release-notes/aspnetcore-9/includes/delete_keys.md)]
+-->
+
+### Data Protection support for deleting keys
+
+Prior to .NET 9, data protection keys were ___not___ deletable by design, to prevent data loss. Deleting a key renders its protected data irretrievable. Given their small size, the accumulation of these keys generally posed minimal impact. However, to accommodate extremely long-running services, we have introduced the option to delete keys. Generally, only old keys should be deleted. Only delete keys when you can accept the risk of data loss in exchange for storage savings. We recommend data protection keys should ___not___ be deleted.
+
+:::code language="csharp" source="~/security/data-protection/configuration/samples/9/deleteKeys/Program.cs" :::
diff --git a/aspnetcore/security/data-protection/configuration/samples/9/deleteKeys/ConsoleApp1.csproj b/aspnetcore/security/data-protection/configuration/samples/9/deleteKeys/ConsoleApp1.csproj
@@ -0,0 +1,10 @@
+﻿<Project Sdk="Microsoft.NET.Sdk.Web">
+
+	<PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net9.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+</Project>
diff --git a/aspnetcore/security/data-protection/configuration/samples/9/deleteKeys/Program.cs b/aspnetcore/security/data-protection/configuration/samples/9/deleteKeys/Program.cs
@@ -0,0 +1,27 @@
+﻿using Microsoft.AspNetCore.DataProtection.KeyManagement;
+
+var services = new ServiceCollection();
+services.AddDataProtection();
+
+var serviceProvider = services.BuildServiceProvider();
+
+var keyManager = serviceProvider.GetService<IKeyManager>();
+
+if (keyManager is IDeletableKeyManager deletableKeyManager)
+{
+    var utcNow = DateTimeOffset.UtcNow;
+    var yearAgo = utcNow.AddYears(-1);
+
+    if (!deletableKeyManager.DeleteKeys(key => key.ExpirationDate < yearAgo))
+    {
+        Console.WriteLine("Failed to delete keys.");
+    }
+    else
+    {
+        Console.WriteLine("Old keys deleted successfully.");
+    }
+}
+else
+{
+    Console.WriteLine("Key manager does not support deletion.");
+}
