Data Protection is a built-in ASP.NET Core cryptographic API designed to persist trusted information when the storage medium itself is untrusted. Three properties make it stand out:
- Simple configuration — one line to add, one line to use
- Intuitive protect / unprotect API with purpose strings
- Complex key management hidden behind a clean abstraction
Setup via Dependency Injection
Add the package Microsoft.AspNetCore.DataProtection (included in the ASP.NET Core meta-package) and register the services:
// Register in DI
services.AddDataProtection();
// Inject IDataProtectionProvider and create a purpose-scoped protector
public class MyService
{
private readonly IDataProtector _protector;
public MyService(IDataProtectionProvider provider)
=> _protector = provider.CreateProtector("MyApp.MyFeature.v1");
public string Protect(string plainText) => _protector.Protect(plainText);
public string Unprotect(string cipherText) => _protector.Unprotect(cipherText);
}Factory Method (Without DI)
Outside of ASP.NET — in a console app or test — you can instantiate the provider directly using the static factory, as shown in the official samples:
// Non-DI factory pattern (from the DataProtection samples)
var provider = DataProtectionProvider.Create(
new DirectoryInfo(@"C:keys"),
configure => configure.SetApplicationName("MyApp"));
var protector = provider.CreateProtector("MyApp.MyFeature.v1");Key Storage Default
Without explicit key storage configuration, keys are persisted to:
- Windows:
%LOCALAPPDATA%\ASP.NET\DataProtection-Keys - Linux / macOS:
~/.aspnet/DataProtection-Keys - Azure App Service:
%HOME%\ASP.NET\DataProtection-Keys
For distributed deployments (multiple instances or containers) you must configure a shared key store — Redis, Azure Blob Storage, or a database — otherwise each instance generates its own keys and cannot unprotect data protected by another.
Protecting and Unprotecting Data
The purpose string is incorporated into the payload — protecting with purpose A and trying to unprotect with purpose B throws a CryptographicException. This provides isolation between features that share the same key ring:
var protector = provider.CreateProtector("MyPurpose");
string cipherText = protector.Protect("Hello world");
string recovered = protector.Unprotect(cipherText);
// The purpose is embedded in the payload — a different purpose throws
var wrong = provider.CreateProtector("WrongPurpose");
wrong.Unprotect(cipherText); // throws CryptographicExceptionIKeyManager
Microsoft does not recommend using IKeyManager directly in normal application code, but it is useful for administrative tooling — listing active keys, revoking compromised keys, or forcing early rotation:
// IKeyManager is accessible but not recommended by Microsoft for routine use
var keyManager = serviceProvider.GetRequiredService<IKeyManager>();
// List all keys
IReadOnlyCollection<IKey> allKeys = keyManager.GetAllKeys();
// Revoke a key
keyManager.RevokeKey(keyId, reason: "Compromised");
// Create a new key immediately
keyManager.CreateNewKey(
activationDate: DateTimeOffset.Now,
expirationDate: DateTimeOffset.Now.AddDays(90));