使用Azure App服务中可扩展的Asp.Net Core数据保护

huangapple go评论120阅读模式
英文:

Using Asp.Net Core Data Protection in scalable Azure App service

问题

我正在构建一个利用数据保护功能来加密Cookie值的Asp.net核心应用程序,运行在Windows Azure应用服务中。

我的理解是,这种保护是基于一个密钥环的,它提供要使用的加密密钥,但我不清楚在扩展的环境中密钥环是否会保持不变。

当Azure应用服务进行扩展时(没有会话亲和性),是否会使用相同的密钥环,如果是的话,使用站点的用户是否能够连接到不同的节点而不会遇到解密Cookie时出现问题的情况?

谢谢!

英文:

I am building an Asp.net core app which takes advantage of the Data Protection capabilities to encrypt cookie values, running in a Windows Azure App Service.

My understanding is that this protection is based on a key ring which provides the encryption keys to use, but I am unclear on whether or not the key ring will stay the same in a scaled out environment .

When the Azure app service scales out, (without session affinity) is the same key ring used and, if so, will users using the site be able to connect to different nodes without experiencing difficulty with the app failing to decrypt the cookie?

Thanks!

答案1

得分: 1

引用自docs

应用程序尝试检测其运行环境并自行处理密钥配置。

  1. 如果应用程序托管在Azure应用服务中,密钥将持久化存储在 %HOME%\ASP.NET\DataProtection-Keys 文件夹中。该文件夹由网络存储支持,并在托管应用程序的所有机器之间进行同步。
    • 密钥在静止状态下不受保护。
    • DataProtection-Keys 文件夹为单个部署槽中的所有应用程序实例提供密钥环。
    • 单独的部署槽(例如,暂存和生产环境)不共享密钥环。当在部署槽之间进行切换时,例如从暂存切换到生产环境或使用A/B测试时,使用Data Protection的应用程序将无法使用先前槽内的密钥环解密存储的数据。这将导致使用标准ASP.NET Core cookie身份验证的应用程序的用户被注销,因为它使用Data Protection来保护其Cookie。如果您需要与槽无关的密钥环,请使用外部密钥环提供程序,例如Azure Blob存储、Azure Key Vault、SQL存储或Redis缓存。

因此,它将以未加密的方式存储密钥在跨所有应用服务实例共享的网络存储中。因此,它应该正常工作。

英文:

Quote from docs:

> The app attempts to detect its operational environment and handle key
> configuration on its own.
>
> 1. If the app is hosted in Azure Apps, keys are persisted to the %HOME%\ASP.NET\DataProtection-Keys folder. This folder is backed by
> network storage and is synchronized across all machines hosting the
> app.
> - Keys aren't protected at rest.
> - The DataProtection-Keys folder supplies the key ring to all instances of an app in a single deployment slot.
> - Separate deployment slots, such as Staging and Production, don't share a key ring. When you swap between deployment slots, for
> example swapping Staging to Production or using A/B testing, any app
> using Data Protection won't be able to decrypt stored data using the
> key ring inside the previous slot. This leads to users being logged
> out of an app that uses the standard ASP.NET Core cookie
> authentication, as it uses Data Protection to protect its cookies. If
> you desire slot-independent key rings, use an external key ring
> provider, such as Azure Blob Storage, Azure Key Vault, a SQL store, or
> Redis cache.

So it will store the keys unencrypted on the network storage that is shared across all instances of your App Service. So it should just work.

huangapple
  • 本文由 发表于 2023年8月10日 14:56:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/76873271.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定