Data Protection with Azure Key Vault and Azure Storage in .NET or .NET Core applications
Use Azure Key Vault and Azure Storage to store Data Protection keys with .NET or .NET Core applications
TL;DR
.NET applications stores Data Protection keys in a local file system by default. The purpose of configuring data protection system in such a way that its keys are stored outside the app server in a secure manner and Azure Blob Storage works pretty well for that.
ASP.NET Core Data Protection stack is designed to serve as the long-term replacement for <machineKey> element in ASP.NET 1.x — 4.x. It was designed to address many of the shortcomings of the old cryptographic stack while providing an out-of-the-box solution for the majority of use cases modern applications are likely to encounter.
Applications often need to store security-sensitive data like authentication cookie or bearer token. Keys can be shared across several instances of a web app. Apps can share authentication cookies or CSRF protection across multiple servers.
We need to get the data protection keys out of the file system. The keys are persisted to an XML file. Azure Blob Storage is one of the way to store keys for applications running across multiple servers.
