aspnet/DataProtection

DataProtection keys in azure blob storage protect with x509 cert rotation question

RickBlouch opened this issue · 4 comments

I originally posted this over on aspnet/security under issue #1225 and was directed here by @Tratcher

We are using service fabric for our web apps and based on the samples and documentation , we are planning to use blob storage for data protection keys as follows so all web servers are on the same page.
serviceCollection.AddDataProtection() .PersistKeysToAzureBlobStorage(container, "keys.xml");

Is it then also recommended to secure those keys as detailed by one of these methods?
My assumption is yes.

.ProtectKeysWithCertificate("thumbprint");.

Given we are in service fabric I'm thinking the best option is x509 which leads to my question. What happens when the cert expires? We will obviously renew the cert ahead of time, but won't the updated cert cause the keys to be unobtainable? Is there some rotation process?

xqrzd commented

This is my understanding (I could be totally wrong here),

The key identifier is stored with the encrypted data, which lets you know which key was used. The key stores which certificate it's protected by, so as long as your old certificate is still in the store, you should be able to continue using those keys.

I would assume an expired certificate could still be used to unprotect keys, but I haven't checked.

Assuming all of this is true, I'd assume you could rotate certificates by,

  1. Create a new certificate, roll it out to relevant machines
  2. Tell your key generation applications to start using the new thumbprint

Now new keys will be protected by the new certificate, and you should be able to continue using existing keys (provided you keep your old certificate in the store).

That makes sense so then to summarize actions needed to be performed:

  • Install the new cert in the environments - keeping the old cert as well.
  • Update the thumbprint in this call ProtectKeysWithCertificate('thumbprint'); .
  • After some period of time remove the old cert from the environments.

It would be great to have this confirmed (and possibly added to the documentation).

There's another option coming in 2.0, Azure KeyVault.

@xqrzd is correct in his assumption that expired certificates, whether held in the OS, or in KeyVault will still allow decryption of data protection keys, they just won't protect new ones, so as long as the expired cert is available you'll still be able to unprotect data with keys that were encrypted with the expired cert.

Very glad to see Azure KeyVault as a protection option instead of specifying a thumbprint.