manage data protection keys with azure and enc

src/Api/Api.csproj

@@ -22,6 +22,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.AzureStorage" Version="1.0.1" />
     <PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="1.1.1" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.2" />
     <PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="1.1.1" />

src/Api/Startup.cs

@@ -31,6 +31,8 @@ using Serilog;
 using Serilog.Events;
 using Bit.Api.IdentityServer;
 using Bit.Core.Enums;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.WindowsAzure.Storage;
 
 namespace Bit.Api
 {
@@ -71,6 +73,16 @@ namespace Bit.Api
             services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimitOptions"));
             services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));
 
+            // Data Protection
+            if(Environment.IsProduction())
+            {
+                var dataProtectionCert = CoreHelpers.GetCertificate(globalSettings.DataProtection.CertificateThumbprint);
+                var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
+                services.AddDataProtection()
+                    .PersistKeysToAzureBlobStorage(storageAccount, "aspnet-dataprotection/keys.xml")
+                    .ProtectKeysWithCertificate(dataProtectionCert);
+            }
+
             // Repositories
             services.AddSingleton<IUserRepository, SqlServerRepos.UserRepository>();
             services.AddSingleton<ICipherRepository, SqlServerRepos.CipherRepository>();
@@ -81,6 +93,7 @@ namespace Bit.Api
             services.AddSingleton<ISubvaultRepository, SqlServerRepos.SubvaultRepository>();
             services.AddSingleton<ISubvaultUserRepository, SqlServerRepos.SubvaultUserRepository>();
             services.AddSingleton<IFolderRepository, SqlServerRepos.FolderRepository>();
+            services.AddSingleton<ISubvaultCipherRepository, SqlServerRepos.SubvaultCipherRepository>();
 
             // Context
             services.AddScoped<CurrentContext>();

src/Api/settings.json

@@ -24,6 +24,9 @@
     "identityServer": {
       "certificateThumbprint": "SECRET"
     },
+    "dataProtection": {
+      "certificateThumbprint": "SECRET"
+    },
     "storage": {
       "connectionString": "SECRET"
     },

src/Core/GlobalSettings.cs

@@ -11,6 +11,7 @@
         public virtual PushSettings Push { get; set; } = new PushSettings();
         public virtual StorageSettings Storage { get; set; } = new StorageSettings();
         public virtual IdentityServerSettings IdentityServer { get; set; } = new IdentityServerSettings();
+        public virtual DataProtectionSettings DataProtection { get; set; } = new DataProtectionSettings();
         public virtual DocumentDbSettings DocumentDb { get; set; } = new DocumentDbSettings();
 
         public class SqlServerSettings
@@ -49,6 +50,11 @@
             public string CertificateThumbprint { get; set; }
         }
 
+        public class DataProtectionSettings
+        {
+            public string CertificateThumbprint { get; set; }
+        }
+
         public class DocumentDbSettings
         {
             public string Uri { get; set; }