Windows 和 Azure 中的静态密钥加密使用 ASP.NET CoreKey encryption at rest in Windows and Azure using ASP.NET Core

默认情况下,数据保护系统 使用发现机制 来确定应如何对加密密钥进行静态加密。The data protection system employs a discovery mechanism by default to determine how cryptographic keys should be encrypted at rest. 开发人员可以重写发现机制,并手动指定密钥的加密方式。The developer can override the discovery mechanism and manually specify how keys should be encrypted at rest.

警告

如果指定显式 密钥持久性位置,数据保护系统将注销静态密钥加密机制。If you specify an explicit key persistence location, the data protection system deregisters the default key encryption at rest mechanism. 因此,不再静态加密密钥。Consequently, keys are no longer encrypted at rest. 建议为生产部署 指定显式密钥加密机制We recommend that you specify an explicit key encryption mechanism for production deployments. 本主题介绍了静态加密机制选项。The encryption-at-rest mechanism options are described in this topic.

Azure Key VaultAzure Key Vault

若要在 Azure Key Vault中存储密钥,请在类中配置 ProtectKeysWithAzureKeyVault 的系统 StartupTo store keys in Azure Key Vault, configure the system with ProtectKeysWithAzureKeyVault in the Startup class:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToAzureBlobStorage(new Uri("<blobUriWithSasToken>"))
        .ProtectKeysWithAzureKeyVault("<keyIdentifier>", "<clientId>", "<clientSecret>");
}

有关详细信息,请参阅 Configure ASP.NET Core Data Protection: ProtectKeysWithAzureKeyVaultFor more information, see Configure ASP.NET Core Data Protection: ProtectKeysWithAzureKeyVault.

Windows DPAPIWindows DPAPI

仅适用于 Windows 部署。Only applies to Windows deployments.

使用 Windows DPAPI 时,将使用 CryptProtectData 对密钥材料进行加密,然后将其保存到存储中。When Windows DPAPI is used, key material is encrypted with CryptProtectData before being persisted to storage. DPAPI 是一种适用于当前计算机之外从不读取的数据的适当加密机制 (不过,可以将这些密钥上移到 Active Directory;请参阅 DPAPI 和漫游配置文件) 。DPAPI is an appropriate encryption mechanism for data that's never read outside of the current machine (though it's possible to back these keys up to Active Directory; see DPAPI and Roaming Profiles). 若要配置 DPAPI 静态密钥加密,请调用 ProtectKeysWithDpapi 扩展方法之一:To configure DPAPI key-at-rest encryption, call one of the ProtectKeysWithDpapi extension methods:

public void ConfigureServices(IServiceCollection services)
{
    // Only the local user account can decrypt the keys
    services.AddDataProtection()
        .ProtectKeysWithDpapi();
}

如果 ProtectKeysWithDpapi 在没有参数的情况下调用,则只有当前的 Windows 用户帐户才能解密持久化密钥环。If ProtectKeysWithDpapi is called with no parameters, only the current Windows user account can decipher the persisted key ring. 您可以选择指定计算机上的任何用户帐户 (不只是当前用户帐户,) 能够破译密钥环:You can optionally specify that any user account on the machine (not just the current user account) be able to decipher the key ring:

public void ConfigureServices(IServiceCollection services)
{
    // All user accounts on the machine can decrypt the keys
    services.AddDataProtection()
        .ProtectKeysWithDpapi(protectToLocalMachine: true);
}

X.509 证书X.509 certificate

如果应用分布在多台计算机上,则在计算机上分发共享的 x.509 证书,并将托管应用配置为使用证书进行静态密钥加密可能会很方便。If the app is spread across multiple machines, it may be convenient to distribute a shared X.509 certificate across the machines and configure the hosted apps to use the certificate for encryption of keys at rest:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .ProtectKeysWithCertificate("3BCE558E2AD3E0E34A7743EAB5AEA2A9BD2575A0");
}

由于 .NET Framework 限制,仅支持具有 CAPI 私钥的证书。Due to .NET Framework limitations, only certificates with CAPI private keys are supported. 请参阅下面的内容,了解这些限制的可能解决方法。See the content below for possible workarounds to these limitations.

Windows DPAPI-NGWindows DPAPI-NG

此机制仅在 Windows 8/Windows Server 2012 或更高版本上可用。This mechanism is available only on Windows 8/Windows Server 2012 or later.

从 Windows 8 开始,Windows OS 支持 DPAPI-NG (也称为 CNG DPAPI) 。Beginning with Windows 8, Windows OS supports DPAPI-NG (also called CNG DPAPI). 有关详细信息,请参阅 关于 CNG DPAPIFor more information, see About CNG DPAPI.

主体编码为保护描述符规则。The principal is encoded as a protection descriptor rule. 在以下调用 ProtectKeysWithDpapiNG的示例中,只有具有指定 SID 的已加入域的用户才能解密密钥环:In the following example that calls ProtectKeysWithDpapiNG, only the domain-joined user with the specified SID can decrypt the key ring:

public void ConfigureServices(IServiceCollection services)
{
    // Uses the descriptor rule "SID=S-1-5-21-..."
    services.AddDataProtection()
        .ProtectKeysWithDpapiNG("SID=S-1-5-21-...",
        flags: DpapiNGProtectionDescriptorFlags.None);
}

还有一个无参数的重载 ProtectKeysWithDpapiNGThere's also a parameterless overload of ProtectKeysWithDpapiNG. 使用此简便方法指定规则 "SID = {CURRENT_ACCOUNT_SID}",其中 CURRENT_ACCOUNT_SID 是当前 Windows 用户帐户的 SID:Use this convenience method to specify the rule "SID={CURRENT_ACCOUNT_SID}", where CURRENT_ACCOUNT_SID is the SID of the current Windows user account:

public void ConfigureServices(IServiceCollection services)
{
    // Use the descriptor rule "SID={current account SID}"
    services.AddDataProtection()
        .ProtectKeysWithDpapiNG();
}

在此方案中,AD 域控制器负责分发由 DPAPI-NG 操作使用的加密密钥。In this scenario, the AD domain controller is responsible for distributing the encryption keys used by the DPAPI-NG operations. 如果进程在其标识) 下运行,则目标用户可以通过任何已加入域的计算机来解密已加密的有效负载 (。The target user can decipher the encrypted payload from any domain-joined machine (provided that the process is running under their identity).

基于证书的加密和 Windows DPAPI-NGCertificate-based encryption with Windows DPAPI-NG

如果应用在 Windows 8.1/Windows Server 2012 R2 或更高版本上运行,则可以使用 Windows DPAPI-NG 执行基于证书的加密。If the app is running on Windows 8.1/Windows Server 2012 R2 or later, you can use Windows DPAPI-NG to perform certificate-based encryption. 使用规则描述符字符串 "CERTIFICATE = HashId: THUMBPRINT",其中 THUMBPRINT 是证书的十六进制编码的 SHA1 指纹:Use the rule descriptor string "CERTIFICATE=HashId:THUMBPRINT", where THUMBPRINT is the hex-encoded SHA1 thumbprint of the certificate:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .ProtectKeysWithDpapiNG("CERTIFICATE=HashId:3BCE558E2...B5AEA2A9BD2575A0",
            flags: DpapiNGProtectionDescriptorFlags.None);
}

指向此存储库的任何应用都必须在 Windows 8.1/Windows Server 2012 R2 或更高版本上运行,才能解密密钥。Any app pointed at this repository must be running on Windows 8.1/Windows Server 2012 R2 or later to decipher the keys.

自定义密钥加密Custom key encryption

如果不适合使用机箱内机制,开发人员可以通过提供自定义 IXmlEncryptor来指定其自己的密钥加密机制。If the in-box mechanisms aren't appropriate, the developer can specify their own key encryption mechanism by providing a custom IXmlEncryptor.