-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define a pattern for a component that ensures a data protection keyring has an active key #52916
Comments
This could be a comparable tool to dotnet-ef that used all of the configuration from the current project but ignored the read-only flag. That way it could support all the different types of data stores without additional configuration (e.g. key-vault, EF, files, custom). https://learn.microsoft.com/en-us/ef/core/cli/dotnet edit project integration might make less sense if this is primarily intended for use in production. |
Thanks for contacting us. We're moving this issue to the |
The proof-of-concept system seems to be working, so we should probably write this up. |
I put some draft text here. |
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
Same as #52915. We want to separate keyring reads from keyring writes to avoid races when there are multiple consumers. If we make consumers read-only, we need a dedicated writer to ensure there's an active key in a newly-created keyring and an unexpired key in an existing one.
Describe the solution you'd like
We could make a simple command-line executable that can be run either periodically or on a dynamic schedule. It needs only basic data protection functionality:
Additional context
For compatibility, this component basically has to consume the existing Data Protection APIs. That effectively locks us to C#, but our Data Protection usage should be simple enough to allow AOT for consumers that don't have a CLR available.
We probably don't want to expose an API for all the possible storage locations of the keyring, so it will probably just be a path.
It's not yet clear whether this will be a reusable component or merely a sample/template that can be customized per-application.
The text was updated successfully, but these errors were encountered: