在 ASP.NET Core 中支持的数据保护计算机范围的策略Data Protection machine-wide policy support in ASP.NET Core

作者:Rick AndersonBy Rick Anderson

Windows 上运行时,数据保护系统具有有限的支持设置默认计算机范围的所有应用程序使用 ASP.NET Core 数据保护策略。When running on Windows, the Data Protection system has limited support for setting a default machine-wide policy for all apps that consume ASP.NET Core Data Protection. 一般理念是管理员可能想要更改默认设置,如使用的算法或密钥生存期,而无需手动更新每个应用程序,在计算机上。The general idea is that an administrator might wish to change a default setting, such as the algorithms used or key lifetime, without the need to manually update every app on the machine.

警告

系统管理员可以设置默认策略,但它们不能强制使用它。The system administrator can set default policy, but they can't enforce it. 应用程序开发人员始终可以重写其中一个其自己选择的任何值。The app developer can always override any value with one of their own choosing. 默认策略仅影响应用程序开发人员未指定显式值的设置的位置。The default policy only affects apps where the developer hasn't specified an explicit value for a setting.

设置默认策略Setting default policy

若要设置默认策略,管理员可以设置以下注册表项下在系统注册表中的已知的值:To set default policy, an administrator can set known values in the system registry under the following registry key:

HKLM\SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtectionHKLM\SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection

如果您是 64 位操作系统上,并想要产生效果的 32 位应用程序的行为,请记住配置 Wow6432Node 等效于上面的项。If you're on a 64-bit operating system and want to affect the behavior of 32-bit apps, remember to configure the Wow6432Node equivalent of the above key.

支持的值如下所示。The supported values are shown below.

Value 类型Type 描述Description
EncryptionTypeEncryptionType stringstring 指定的算法都应使用的数据保护。Specifies which algorithms should be used for data protection. 值必须为 CNG CBC、 CNG GCM 或托管和下面更详细地介绍。The value must be CNG-CBC, CNG-GCM, or Managed and is described in more detail below.
DefaultKeyLifetimeDefaultKeyLifetime DWORDDWORD 指定新生成的键的生存期。Specifies the lifetime for newly-generated keys. 此值天为单位指定,并且必须是 > = 7。The value is specified in days and must be >= 7.
KeyEscrowSinksKeyEscrowSinks stringstring 指定用于密钥托管的类型。Specifies the types that are used for key escrow. 值是以分号分隔的密钥托管接收器,其中在列表中的每个元素都实现的类型的程序集限定名称列表IKeyEscrowSinkThe value is a semicolon-delimited list of key escrow sinks, where each element in the list is the assembly-qualified name of a type that implements IKeyEscrowSink.

加密类型Encryption types

如果 EncryptionType 为 CNG CBC,系统配置为使用 CBC 模式下对称块密码的保密性和 HMAC 的真实性与 Windows CNG 提供的服务 (请参阅指定自定义 Windows CNG 算法为更多详细信息)。If EncryptionType is CNG-CBC, the system is configured to use a CBC-mode symmetric block cipher for confidentiality and HMAC for authenticity with services provided by Windows CNG (see Specifying custom Windows CNG algorithms for more details). 支持以下其他值,其中每个对应于 CngCbcAuthenticatedEncryptionSettings 类型上的属性。The following additional values are supported, each of which corresponds to a property on the CngCbcAuthenticatedEncryptionSettings type.

Value 类型Type 描述Description
EncryptionAlgorithmEncryptionAlgorithm stringstring 理解 CNG 的对称块加密算法的名称。The name of a symmetric block cipher algorithm understood by CNG. 此算法是在 CBC 模式下打开。This algorithm is opened in CBC mode.
EncryptionAlgorithmProviderEncryptionAlgorithmProvider stringstring 可以生成 EncryptionAlgorithm 的算法的 CNG 提供程序实现的名称。The name of the CNG provider implementation that can produce the algorithm EncryptionAlgorithm.
EncryptionAlgorithmKeySizeEncryptionAlgorithmKeySize DWORDDWORD 要导出的对称块加密算法的密钥长度 (以位为单位)。The length (in bits) of the key to derive for the symmetric block cipher algorithm.
HashAlgorithmHashAlgorithm stringstring 理解的 CNG 的哈希算法的名称。The name of a hash algorithm understood by CNG. 此算法是在 HMAC 模式下打开。This algorithm is opened in HMAC mode.
HashAlgorithmProviderHashAlgorithmProvider stringstring 可以生成算法的 HashAlgorithm CNG 提供程序实现的名称。The name of the CNG provider implementation that can produce the algorithm HashAlgorithm.

如果 EncryptionType 为 CNG GCM,系统配置为使用的保密性和真实性 Galois/计数器模式对称块密码,与 Windows CNG 提供的服务 (请参阅指定自定义 Windows CNG 算法有关详细信息)。If EncryptionType is CNG-GCM, the system is configured to use a Galois/Counter Mode symmetric block cipher for confidentiality and authenticity with services provided by Windows CNG (see Specifying custom Windows CNG algorithms for more details). 支持以下其他值,其中每个对应于 CngGcmAuthenticatedEncryptionSettings 类型上的属性。The following additional values are supported, each of which corresponds to a property on the CngGcmAuthenticatedEncryptionSettings type.

Value 类型Type 描述Description
EncryptionAlgorithmEncryptionAlgorithm stringstring 理解 CNG 的对称块加密算法的名称。The name of a symmetric block cipher algorithm understood by CNG. 此算法是在 Galois/计数器模式中打开。This algorithm is opened in Galois/Counter Mode.
EncryptionAlgorithmProviderEncryptionAlgorithmProvider stringstring 可以生成 EncryptionAlgorithm 的算法的 CNG 提供程序实现的名称。The name of the CNG provider implementation that can produce the algorithm EncryptionAlgorithm.
EncryptionAlgorithmKeySizeEncryptionAlgorithmKeySize DWORDDWORD 要导出的对称块加密算法的密钥长度 (以位为单位)。The length (in bits) of the key to derive for the symmetric block cipher algorithm.

如果管理 EncryptionType,系统配置为用于托管的 SymmetricAlgorithm 保密性和 KeyedHashAlgorithm 的真实性 (请参阅指定自定义托管算法的更多详细信息)。If EncryptionType is Managed, the system is configured to use a managed SymmetricAlgorithm for confidentiality and KeyedHashAlgorithm for authenticity (see Specifying custom managed algorithms for more details). 支持以下其他值,其中每个对应于 ManagedAuthenticatedEncryptionSettings 类型上的属性。The following additional values are supported, each of which corresponds to a property on the ManagedAuthenticatedEncryptionSettings type.

Value 类型Type 描述Description
EncryptionAlgorithmTypeEncryptionAlgorithmType stringstring 实现 SymmetricAlgorithm 的类型的程序集限定名称。The assembly-qualified name of a type that implements SymmetricAlgorithm.
EncryptionAlgorithmKeySizeEncryptionAlgorithmKeySize DWORDDWORD 要导出的对称加密算法的密钥长度 (以位为单位)。The length (in bits) of the key to derive for the symmetric encryption algorithm.
ValidationAlgorithmTypeValidationAlgorithmType stringstring 实现 KeyedHashAlgorithm 的类型的程序集限定名称。The assembly-qualified name of a type that implements KeyedHashAlgorithm.

如果 EncryptionType 具有任何其他值不是 null 或为空时,数据保护系统在启动时引发异常。If EncryptionType has any other value other than null or empty, the Data Protection system throws an exception at startup.

警告

在配置时涉及的类型名称 (EncryptionAlgorithmType,ValidationAlgorithmType,KeyEscrowSinks) 的默认策略设置,类型必须可供该应用程序。When configuring a default policy setting that involves type names (EncryptionAlgorithmType, ValidationAlgorithmType, KeyEscrowSinks), the types must be available to the app. 这意味着,对于在桌面 CLR 上运行的应用程序,包含这些类型的程序集应在全局程序集缓存 (GAC) 中存在。This means that for apps running on Desktop CLR, the assemblies that contain these types should be present in the Global Assembly Cache (GAC). 对于在.NET Core 上运行的 ASP.NET Core 应用程序,应安装包含这些类型的包。For ASP.NET Core apps running on .NET Core, the packages that contain these types should be installed.