去年夏天,我改用 Blob 存储和 KeyVault 来存储和加密我的简单 .NET Core Web 应用程序的数据保护密钥。我这样做是为了让用户在我将部署环境从暂存环境切换到生产环境后不必重新登录。
我使用以下页面作为指南。 https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-5.0
这是我的启动配置。
services.AddDataProtection()
.PersistKeysToAzureBlobStorage(new Uri($"{dpSettings.BlobUrl}{dpSettings.SasToken}"))
.ProtectKeysWithAzureKeyVault(new Uri(dpSettings.KeyVaultUrl), new DefaultAzureCredential());
使用的参考文献
<PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.0.2" />
<PackageReference Include="Azure.Identity" Version="1.3.0" />
<PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
<PackageReference Include="EPPlus" Version="4.5.3.2" />
<PackageReference Include="HtmlSanitizer" Version="5.0.376" />
<PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.17.0" />
<PackageReference Include="Microsoft.ApplicationInsights.PerfCounterCollector" Version="2.17.0" />
<PackageReference Include="Microsoft.AspNetCore.DataProtection.AzureStorage" Version="3.1.13" />
<PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="5.0.4" />
<PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="5.0.4" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="5.0.4">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="5.0.4" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="5.0.4">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="5.0.0" />
<PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="5.0.2" PrivateAssets="All" />
<PackageReference Include="Postmark" Version="4.5.0" />
<PackageReference Include="Stripe.net" Version="35.17.0" />
<PackageReference Include="TimeZoneConverter" Version="3.4.0" />
效果很好,但是... 90 天后,网站停止工作并报告以下错误。
Message: An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information.
Stacktrace:
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Serialize(AntiforgeryToken token)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.Serialize(IAntiforgeryFeature antiforgeryFeature)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetAndStoreTokens(HttpContext httpContext)
at...
经过一些故障排除后,我发现 blob 存储中的 keys.xml 文件的到期日期是今天。我的理解是,随着到期日期的临近,应该创建一个新密钥。为了解决这个问题,我只是删除了 keys.xml 文件,然后应用程序创建了一个新文件。我想我可以自动化这个,但我很确定我不应该这样做。任何帮助表示赞赏。