在 Azure 上存储和使用现有的数据保护密钥
Store and use existing Data Protection keys on azure
我正在尝试将 prem 密钥与 azure 云设置同步,以便两个环境都可以解密授权 header 访问令牌。
目前我有这个设置:
已将此格式的现有 xml 密钥文件添加到 Azure Blob 存储:
<?xml version="1.0" encoding="utf-8"?>
<key id="id..." version="1">
<creationDate>2018-05-08T17:44:54.9313191Z</creationDate>
<activationDate>2018-05-08T17:44:54.8979462Z</activationDate>
<expirationDate>2023-05-07T17:44:54.8979462Z</expirationDate>
<descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
<descriptor>
<encryption algorithm="AES_256_CBC" />
<validation algorithm="HMACSHA256" />
<masterKey p4:requiresEncryption="true" xmlns:p4="http://schemas.asp.net/2015/03/dataProtection">
<!-- Warning: the key below is in an unencrypted form. -->
<value>my-shared-key</value>
</masterKey>
</descriptor>
</descriptor>
</key>
像这样在应用程序启动期间注册密钥:
services.AddDataProtection()
.SetApplicationName("common-app-name")
.DisableAutomaticKeyGeneration()
.PersistKeysToAzureBlobStorage(new Uri("my uri/sas"));
在启动期间看到这些 warnings/errors:
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
Unknown element with name 'creationDate' found in keyring, skipping.
Loaded
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'creationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'activationDate' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
Unknown element with name 'activationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'expirationDate' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
Unknown element with name 'expirationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'descriptor' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
Unknown element with name 'descriptor' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider:Error: An error occurred while reading the key ring.
System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow)
fail: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[48]
An error occurred while reading the key ring.
我哪里错了?
提前致谢。
更新:
也试过这种方式注册 azure keys,但还是报同样的错误:
var storageAccount = CloudStorageAccount.Parse("<connectionstring + access key>");
var client = storageAccount.CreateCloudBlobClient();
var container = client.GetContainerReference("dev");
container.CreateIfNotExistsAsync().GetAwaiter().GetResult();
services.AddDataProtection()
.SetApplicationName("common-name")
.PersistKeysToAzureBlobStorage(container, "keys.xml")
.DisableAutomaticKeyGeneration();
最终自己找到了答案,不幸的是,MS Azure Docs 中没有任何地方记录此信息。
简单地说,您需要将关键 xml 元素包装在根 <repository></repository> 元素中。
我正在尝试将 prem 密钥与 azure 云设置同步,以便两个环境都可以解密授权 header 访问令牌。
目前我有这个设置:
已将此格式的现有 xml 密钥文件添加到 Azure Blob 存储:
<?xml version="1.0" encoding="utf-8"?>
<key id="id..." version="1">
<creationDate>2018-05-08T17:44:54.9313191Z</creationDate>
<activationDate>2018-05-08T17:44:54.8979462Z</activationDate>
<expirationDate>2023-05-07T17:44:54.8979462Z</expirationDate>
<descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
<descriptor>
<encryption algorithm="AES_256_CBC" />
<validation algorithm="HMACSHA256" />
<masterKey p4:requiresEncryption="true" xmlns:p4="http://schemas.asp.net/2015/03/dataProtection">
<!-- Warning: the key below is in an unencrypted form. -->
<value>my-shared-key</value>
</masterKey>
</descriptor>
</descriptor>
</key>
像这样在应用程序启动期间注册密钥:
services.AddDataProtection()
.SetApplicationName("common-app-name")
.DisableAutomaticKeyGeneration()
.PersistKeysToAzureBlobStorage(new Uri("my uri/sas"));
在启动期间看到这些 warnings/errors:
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
Unknown element with name 'creationDate' found in keyring, skipping.
Loaded
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'creationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'activationDate' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
Unknown element with name 'activationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'expirationDate' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
Unknown element with name 'expirationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'descriptor' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
Unknown element with name 'descriptor' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider:Error: An error occurred while reading the key ring.
System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow)
fail: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[48]
An error occurred while reading the key ring.
我哪里错了?
提前致谢。
更新:
也试过这种方式注册 azure keys,但还是报同样的错误:
var storageAccount = CloudStorageAccount.Parse("<connectionstring + access key>");
var client = storageAccount.CreateCloudBlobClient();
var container = client.GetContainerReference("dev");
container.CreateIfNotExistsAsync().GetAwaiter().GetResult();
services.AddDataProtection()
.SetApplicationName("common-name")
.PersistKeysToAzureBlobStorage(container, "keys.xml")
.DisableAutomaticKeyGeneration();
最终自己找到了答案,不幸的是,MS Azure Docs 中没有任何地方记录此信息。
简单地说,您需要将关键 xml 元素包装在根 <repository></repository> 元素中。