堆栈内存溢出
  简体   繁体   English

在 azure 上存储和使用现有的数据保护密钥

[英]Store and use existing Data Protection keys on azure

 原文  2020-01-22 08:39:29       c#/ azure/ asp.net-core/ azure-storage-blobs/ data-protection

问题描述

I am trying to sync on prem keys with an azure cloud setup so both environments can decrypt the authorization header access tokens.我正在尝试使用 azure 云设置同步 prem 密钥,以便两个环境都可以解密授权标头访问令牌。

Currently I have this setup:目前我有这个设置:

Added the existing xml key file in this format to azure blob storage:将这种格式的现有 xml 密钥文件添加到 azure blob 存储:

<?xml version="1.0" encoding="utf-8"?>
<key id="id..." version="1">
  <creationDate>2018-05-08T17:44:54.9313191Z</creationDate>
  <activationDate>2018-05-08T17:44:54.8979462Z</activationDate>
  <expirationDate>2023-05-07T17:44:54.8979462Z</expirationDate>
  <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
    <descriptor>
      <encryption algorithm="AES_256_CBC" />
      <validation algorithm="HMACSHA256" />
      <masterKey p4:requiresEncryption="true" xmlns:p4="http://schemas.asp.net/2015/03/dataProtection">
        <!-- Warning: the key below is in an unencrypted form. -->
        <value>my-shared-key</value>
      </masterKey>
    </descriptor>
  </descriptor>
</key>

Registered the key during app startup like this:在应用程序启动期间注册密钥,如下所示:

services.AddDataProtection()
  .SetApplicationName("common-app-name")
  .DisableAutomaticKeyGeneration()
  .PersistKeysToAzureBlobStorage(new Uri("my uri/sas"));

Seeing these warnings/errors during startup:在启动过程中看到这些警告/错误:

warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
      Unknown element with name 'creationDate' found in keyring, skipping.
Loaded 
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'creationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'activationDate' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
      Unknown element with name 'activationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'expirationDate' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
      Unknown element with name 'expirationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'descriptor' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
      Unknown element with name 'descriptor' found in keyring, skipping.

Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider:Error: An error occurred while reading the key ring.

System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow)
fail: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[48]
      An error occurred while reading the key ring.

Where am I going wrong here?我哪里出错了?

Thanks in advance.提前致谢。

update:更新:

Also tried this way of registering the azure keys, but still seeing the same error:也尝试过这种注册 azure 密钥的方式,但仍然看到相同的错误:

var storageAccount = CloudStorageAccount.Parse("<connectionstring + access key>");
var client = storageAccount.CreateCloudBlobClient();

var container = client.GetContainerReference("dev");
container.CreateIfNotExistsAsync().GetAwaiter().GetResult();

services.AddDataProtection()
       .SetApplicationName("common-name")
       .PersistKeysToAzureBlobStorage(container, "keys.xml")
       .DisableAutomaticKeyGeneration();

1 个解决方案

解决方案1
 1 已采纳  2020-01-22 16:59:11

Ended up finding the answer myself, unfortunately this information isn't documented in MS Azure Docs anywhere.最终自己找到了答案,不幸的是,此信息未记录在 MS Azure Docs 中的任何地方。

Simply speaking you need to wrap the key xml elements in a root <repository></repository> element.简单地说,您需要将关键的 xml 元素包装在根<repository></repository>元素中。

https://stackoverflow.com/a/57804689/471565 https://stackoverflow.com/a/57804689/471565

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 数据保护密钥未保留到Azure - Data Protection Keys Not Persisted To Azure Azure网站上的数据保护/加密? - Data protection / encryption on Azure websites? docker 容器是否需要数据保护密钥? - Are the data protection keys necessary for docker container? 如何存储使用 2 个键查找值的数据对象 - How to store data objects that use 2 keys to look up a value ASP.NET Core OpenIdConnectServer数据保护密钥位置 - ASP.NET Core OpenIdConnectServer data protection keys location 如何在 Xamarin.iOS 中使用数据保护? - How to use Data Protection in Xamarin.iOS? 在Azure上使用Autofac时数据保护操作失败 - Data protection operation unsuccessful when using Autofac on Azure 使用现有的Hashset作为Keys来创建新的字典 - Use existing Hashset as Keys to create new dictionary Azure Data Lake Store基准测试 - Azure Data Lake Store Benchmarks 可以使用请求url存储缓存键吗? - Is it OK to use the request url to store cache keys?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM