I am building an Asp.net core app which takes advantage of the Data Protection capabilities to encrypt cookie values, running in a Windows Azure App Service.
My understanding is that this protection is based on a key ring which provides the encryption keys to use, but I am unclear on whether or not the key ring will stay the same in a scaled out environment .
When the Azure app service scales out, (without session affinity) is the same key ring used and, if so, will users using the site be able to connect to different nodes without experiencing difficulty with the app failing to decrypt the cookie?
Thanks!
Quote from docs:
The app attempts to detect its operational environment and handle key configuration on its own.
- If the app is hosted in Azure Apps, keys are persisted to the %HOME%\ASP.NET\DataProtection-Keys folder. This folder is backed by network storage and is synchronized across all machines hosting the app.
- Keys aren't protected at rest.
- The DataProtection-Keys folder supplies the key ring to all instances of an app in a single deployment slot.
- Separate deployment slots, such as Staging and Production, don't share a key ring. When you swap between deployment slots, for example swapping Staging to Production or using A/B testing, any app using Data Protection won't be able to decrypt stored data using the key ring inside the previous slot. This leads to users being logged out of an app that uses the standard ASP.NET Core cookie authentication, as it uses Data Protection to protect its cookies. If you desire slot-independent key rings, use an external key ring provider, such as Azure Blob Storage, Azure Key Vault, a SQL store, or Redis cache.
So it will store the keys unencrypted on the network storage that is shared across all instances of your App Service. So it should just work.