Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASP.NET Data Protection Support #371

Closed
cbeall opened this issue Jun 7, 2016 · 8 comments
Closed

ASP.NET Data Protection Support #371

cbeall opened this issue Jun 7, 2016 · 8 comments
Assignees
Labels
feature-request A feature should be added or improved. guidance Question that needs advice or information.

Comments

@cbeall
Copy link

cbeall commented Jun 7, 2016

As part the efforts with .NET Core, Microsoft has done work with key management and data protection. They've defined several interfaces for doing all of this. The documentation can be found here: https://docs.asp.net/en/latest/security/data-protection/index.html

The first 25 minutes of this presentation also provide a nice overview of how this works. https://vimeo.com/153102690

There would be many benefits for .NET applications on AWS to be able to leverage an implementation of IDataProtectionProvider that associated with KMS. One major benefit is it helps remove dependencies on the machine key being shared across instances of an application.

There is an implementation (I don't believe its "official") of an implementation for Azure here: https://github.com/GrabYourPitchforks/DataProtection.Azure/tree/dev

I was wondering if there are any plans to build this into the AWS .NET SDK, and if not, is there any guidance on alternative approaches?

@normj
Copy link
Member

normj commented Jun 8, 2016

Sounds like a really cool idea. I'm reading through the docs to understand what it would mean to have an implementation with KMS.

@normj normj added the feature-request A feature should be added or improved. label Jun 8, 2016
@hotchkj
Copy link

hotchkj commented Jul 2, 2016

It's similarly nothing 'official', but I have an existing implementation of this at https://github.com/hotchkj/AspNetCore.DataProtection.Aws

@normj
Copy link
Member

normj commented Jul 5, 2016

Thanks for the link it is very interesting. Since the API for the IXmlRepository is get all and store a key and get all being the heavily used call I was thinking I would store all the keys in one object and have the store key conditionally write. That way get all only has to do one service call instead of the list and N number of get calls. For the store I would load the object, append the new key and write the object back to S3 with the condition check on the ETag from the load call. If that failed on the ETag then retry the logic. That would cover the case of somebody else writing to the file between the load and save.

@hotchkj
Copy link

hotchkj commented Jul 5, 2016

Intriguing idea! I did not know S3 had a conditional PUT operation as you describe.

To play devil's advocate, the typical usage of DataProtection would have keys with expiry by default every 90 days, which probably isn't going to push S3 usage beyond a few hundred objects over the course of years of operation.

I was also pondering whether it was more efficient to cache the older XML entries (since they're encrypted if one is also using KMS) client-side, rather than solely a bulk fetch. Using a single S3 key for the entire set of keys makes caching a bit harder to implement. Then again, caching might not be necessary either, given that according to ASP.NET docs, the key ring is already cached and refreshed every 24 hours or when a key expires, so performance concerns may not be that significant.

@vellozzi
Copy link
Contributor

vellozzi commented May 9, 2017

This has been added to our feature request list at https://github.com/aws/aws-sdk-net/blob/master/FEATURE_REQUESTS.md

@vellozzi vellozzi closed this as completed May 9, 2017
@diehlaws diehlaws added guidance Question that needs advice or information. and removed Question labels Jan 3, 2019
@niemyjski
Copy link

This would be awesome!

@normj
Copy link
Member

normj commented Apr 20, 2020

@niemyjski This was implememnted the aws-ssm-data-protection-provider-for-aspnet repository.

@niemyjski
Copy link

Thanks for the followup I'll check it out. This would be a strong case for not closing issues for a feature request list of which doesn't appear to be updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request A feature should be added or improved. guidance Question that needs advice or information.
Projects
None yet
Development

No branches or pull requests

7 participants