manage data protection keys with azure and enc

2025-07-01 08:02:49 -05:00 · 2017-03-23 22:02:55 -04:00
parent 47477f6ca5
commit ca9aa40873
4 changed files with 23 additions and 0 deletions
--- a/src/Api/Api.csproj
+++ b/src/Api/Api.csproj
@ -22,6 +22,7 @@
  </ItemGroup>

  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.AzureStorage" Version="1.0.1" />
    <PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="1.1.1" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.2" />
    <PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="1.1.1" />
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -31,6 +31,8 @@ using Serilog;
 using Serilog.Events;
 using Bit.Api.IdentityServer;
 using Bit.Core.Enums;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.WindowsAzure.Storage;

 namespace Bit.Api
 {
@ -71,6 +73,16 @@ namespace Bit.Api
            services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimitOptions"));
            services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));

+            // Data Protection
+            if(Environment.IsProduction())
+            {
+                var dataProtectionCert = CoreHelpers.GetCertificate(globalSettings.DataProtection.CertificateThumbprint);
+                var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
+                services.AddDataProtection()
+                    .PersistKeysToAzureBlobStorage(storageAccount, "aspnet-dataprotection/keys.xml")
+                    .ProtectKeysWithCertificate(dataProtectionCert);
+            }
+
            // Repositories
            services.AddSingleton<IUserRepository, SqlServerRepos.UserRepository>();
            services.AddSingleton<ICipherRepository, SqlServerRepos.CipherRepository>();
@ -81,6 +93,7 @@ namespace Bit.Api
            services.AddSingleton<ISubvaultRepository, SqlServerRepos.SubvaultRepository>();
            services.AddSingleton<ISubvaultUserRepository, SqlServerRepos.SubvaultUserRepository>();
            services.AddSingleton<IFolderRepository, SqlServerRepos.FolderRepository>();
+            services.AddSingleton<ISubvaultCipherRepository, SqlServerRepos.SubvaultCipherRepository>();

            // Context
            services.AddScoped<CurrentContext>();
--- a/src/Api/settings.json
+++ b/src/Api/settings.json
@ -24,6 +24,9 @@
    "identityServer": {
      "certificateThumbprint": "SECRET"
    },
+    "dataProtection": {
+      "certificateThumbprint": "SECRET"
+    },
    "storage": {
      "connectionString": "SECRET"
    },