ASP.NET DataProtection — Digitteck
ASP.NET DataProtection
dotnet·15 June 2020·4 min read

ASP.NET DataProtection

Data Protection is a built-in ASP.NET Core cryptographic API designed to persist trusted information when the storage medium itself is untrusted. Three properties make it stand out:

  • Simple configuration — one line to add, one line to use
  • Intuitive protect / unprotect API with purpose strings
  • Complex key management hidden behind a clean abstraction

Setup via Dependency Injection

Add the package Microsoft.AspNetCore.DataProtection (included in the ASP.NET Core meta-package) and register the services:

csharp
// Register in DI
services.AddDataProtection();

// Inject IDataProtectionProvider and create a purpose-scoped protector
public class MyService
{
    private readonly IDataProtector _protector;

    public MyService(IDataProtectionProvider provider)
        => _protector = provider.CreateProtector("MyApp.MyFeature.v1");

    public string Protect(string plainText)   => _protector.Protect(plainText);
    public string Unprotect(string cipherText) => _protector.Unprotect(cipherText);
}

Factory Method (Without DI)

Outside of ASP.NET — in a console app or test — you can instantiate the provider directly using the static factory, as shown in the official samples:

csharp
// Non-DI factory pattern (from the DataProtection samples)
var provider = DataProtectionProvider.Create(
    new DirectoryInfo(@"C:keys"),
    configure => configure.SetApplicationName("MyApp"));

var protector = provider.CreateProtector("MyApp.MyFeature.v1");

Key Storage Default

Without explicit key storage configuration, keys are persisted to:

  • Windows: %LOCALAPPDATA%\ASP.NET\DataProtection-Keys
  • Linux / macOS: ~/.aspnet/DataProtection-Keys
  • Azure App Service: %HOME%\ASP.NET\DataProtection-Keys

For distributed deployments (multiple instances or containers) you must configure a shared key store — Redis, Azure Blob Storage, or a database — otherwise each instance generates its own keys and cannot unprotect data protected by another.

Protecting and Unprotecting Data

The purpose string is incorporated into the payload — protecting with purpose A and trying to unprotect with purpose B throws a CryptographicException. This provides isolation between features that share the same key ring:

csharp
var protector = provider.CreateProtector("MyPurpose");

string cipherText = protector.Protect("Hello world");
string recovered  = protector.Unprotect(cipherText);

// The purpose is embedded in the payload — a different purpose throws
var wrong = provider.CreateProtector("WrongPurpose");
wrong.Unprotect(cipherText); // throws CryptographicException

IKeyManager

Microsoft does not recommend using IKeyManager directly in normal application code, but it is useful for administrative tooling — listing active keys, revoking compromised keys, or forcing early rotation:

csharp
// IKeyManager is accessible but not recommended by Microsoft for routine use
var keyManager = serviceProvider.GetRequiredService<IKeyManager>();

// List all keys
IReadOnlyCollection<IKey> allKeys = keyManager.GetAllKeys();

// Revoke a key
keyManager.RevokeKey(keyId, reason: "Compromised");

// Create a new key immediately
keyManager.CreateNewKey(
    activationDate: DateTimeOffset.Now,
    expirationDate: DateTimeOffset.Now.AddDays(90));

Tags

.NETASP.NET CoreData Protection
digitteck

© 2026 Digitteck