public void System_NoKeysDirectoryProvided_UsesDefaultKeysDirectory() { var mock = new Mock <IDefaultKeyStorageDirectories>(); var keysPath = Path.Combine(AppContext.BaseDirectory, Path.GetRandomFileName()); mock.Setup(m => m.GetKeyStorageDirectory()).Returns(new DirectoryInfo(keysPath)); // Step 1: Instantiate the system and round-trip a payload var provider = DataProtectionProvider.CreateProvider( keyDirectory: null, certificate: null, setupAction: builder => { builder.SetApplicationName("TestApplication"); builder.Services.AddSingleton <IKeyManager>(s => new XmlKeyManager( s.GetRequiredService <IOptions <KeyManagementOptions> >(), s.GetRequiredService <IActivator>(), NullLoggerFactory.Instance, mock.Object)); }); var protector = provider.CreateProtector("Protector"); var plainText = "payload"; Assert.Equal(plainText, protector.Unprotect(protector.Protect(plainText))); // Step 2: Validate that there's now a single key in the directory var newFileName = Assert.Single(Directory.GetFiles(keysPath)); var file = new FileInfo(newFileName); Assert.StartsWith("key-", file.Name, StringComparison.OrdinalIgnoreCase); var fileText = File.ReadAllText(file.FullName); // On Windows, validate that it's protected using Windows DPAPI. if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal); Assert.Contains("This key is encrypted with Windows DPAPI.", fileText, StringComparison.Ordinal); } else { Assert.Contains("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal); } }