Amazon Web Services integration for ASP.NET Core data protection. Server keys can be stored in S3 and/or key material encrypted using KMS.

With thanks to the Jetbrains team for their open source license of Resharper! SonarQube scans can be found here.

By default, ASP.NET Core Data Protection stores encryption keys locally, causing issues with key mismatches across server farms. S3 can be used instead of a shared filesystem to provide XML key file storage.

This component deals purely with storage of the XML key files; without Data Protection configured to also encrypt, the key itself is written into each XML file as plaintext (thus contrasting between encryption options for storage of the file, and whether the key within the file is also encrypted independently). See below for an encryption component that uses AWS KMS to encrypt the key material within the XML file prior to storage.

Server-side S3 encryption of AES256 is enabled by default. It remains the client's responsibility to ensure access control to the S3 bucket is appropriately configured, as well as determining whether the various S3 encryption options are sufficient.

Guidance from Microsoft indicates that the repository itself cannot clean up key data as the usage lifetime is not known to the key management layer. If S3 usage over time is a concern, clients need to trade off key lifetime (and corresponding revocation lifetime) vs S3 storage costs. A suitable approach might be S3 lifecycle policies to remove ancient key files that could not possibly be in use in the client's deployed scenario. Key files generated by typical XmlKeyManager runs are less than 1kB each.

NuGet page for AspNetCore.DataProtection.Aws.S3

In Startup.cs, specified as part of Data Protection configuration:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
            .PersistKeysToAwsS3(new AmazonS3Client(), new S3XmlRepositoryConfig("my-bucket-name")
            // Configuration has defaults; all below are optional
            {
                // How many concurrent connections will be made to S3 to retrieve key data
                MaxS3QueryConcurrency = 10,
                // Custom prefix in the S3 bucket enabling use of folders
                KeyPrefix = "MyKeys/",
                // Customise storage class for key storage
                StorageClass = S3StorageClass.Standard,
                // Customise encryption options (these can be mutually exclusive - don't just copy & paste!)
                ServerSideEncryptionMethod = ServerSideEncryptionMethod.AES256,
                ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
                ServerSideEncryptionCustomerProvidedKey = "MyBase64Key",
                ServerSideEncryptionCustomerProvidedKeyMD5 = "MD5OfMyBase64Key",
                ServerSideEncryptionKeyManagementServiceKeyId = "AwsKeyManagementServiceId",
                // Compress stored XML before write to S3
                ClientSideCompression = true
            });
}

If the IAmazonS3 interface is discoverable via Dependency Injection in IServiceCollection, the constructor argument of AmazonS3Client can be omitted.

Default options for ASP.NET data encryption are bound to certificates or Windows-specific DPAPI constructs. AWS Key Management Service keys can be used instead to provide a consistent master key for protecting the server key material itself while stored within the XML files.

Please note that IServiceProvider/IServiceCollection Dependency Injection is required for this to operate correctly, due to the Data Protection key manager needing to locate & create the appropriate IXmlDecryptor on demand.

It remains the client's responsibility to correctly configure access control to the chosen KMS key, and whether their precise scenario requires grants or particular encryption contexts.

NuGet page for AspNetCore.DataProtection.Aws.Kms

In Startup.cs, specified as part of Data Protection configuration:

public void ConfigureServices(IServiceCollection services)
{
    var kmsConfig = new KmsXmlEncryptorConfig("my-application-name", "alias/MyKmsAlias");
    // Configuration has default contexts added; below are optional if using grants or additional contexts
    kmsConfig.EncryptionContext.Add("my-custom-context", "my-custom-value");
    kmsConfig.GrantTokens.Add("my-grant-token");

    services.AddDataProtection()
            .ProtectKeysWithAwsKms(new AmazonKeyManagementServiceClient(), kmsConfig);
}

If the IAmazonKeyManagementService interface is discoverable via Dependency Injection in IServiceCollection, the constructor argument of AmazonKeyManagementServiceClient can be omitted.