Data protection is a built-in cryptographic API which provides developer capabilities to persist trusted information while considering that the storage is untrusted.
- Simplicity in configuration
- Intuitive API
- complex/hidden key management principles
To use data protection simply add the following package:
To create the provider you can use the dependency injection:
or you can instantiate the provider using the factory method as illustrated in the DataProtection samples
If you don’t specify the key storage mechanism, where are the keys stored? To find out I downloaded and compiled the source code of DataProtection. And following line by line in the debugger, I reached this line:
Protecting and unprotecting data is easy (to use, the implementation is quite complex)
As you can see without the write purpose, un-protecting is not possible. The purpose will be part of the payload, it is firstly used to create a AdditionalAuthenticatedDataTemplate, (which in simple terms stores the purpose, tailored for each key ring, in memory in a byte array format, along with some other information) and then it’s used in the encryption mechanism
While using this service is not recommended by Microsoft, it’s good to know that you can access this manager and manage your keys if you need so.