Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Key Management Documentation #3273

Closed
joshbartley opened this issue Apr 25, 2017 · 4 comments
Closed

Update Key Management Documentation #3273

joshbartley opened this issue Apr 25, 2017 · 4 comments
Labels
Milestone

Comments

@joshbartley
Copy link

The Key Management documentation at ( https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/default-settings#data-protection-default-settings) does not account for all scenarios. The four scenarios listed do not account for applications that are load balanced outside of the Azure Web Sites offering.

I think the documentation should be updated with the following information.

  1. For load balanced scenarios, not on Azure Web Sites, a Key Management repository that will store keys out of process is required. The http://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection/ package provides Key Management repositories using AzureBlob, Azure Key Management, and Redis.

Also update the paragraph below the four listed options as " The first three options above should good defaults " is a typo I believe.

Below this, the documentation should provide code samples for configuration for the Startup.cs. The current samples are inside the DataProtection samples folder which is not linked and makes it tougher to find.

I think I can try to write this up and PR this if everyone agrees this is an issue.

@Rick-Anderson Rick-Anderson added this to the Backlog milestone Jun 8, 2017
@Rick-Anderson
Copy link
Contributor

@blowdart please review this proposed work.

@Rick-Anderson Rick-Anderson added Pri2 and removed Pri3 labels Jun 8, 2017
@blowdart
Copy link
Contributor

blowdart commented Jun 9, 2017

Looks fine to me.

@guardrex
Copy link
Collaborator

guardrex commented Oct 13, 2017

@blowdart @Rick-Anderson I looked at this for #4549.

The four scenarios listed do not account for applications that are load balanced outside of the Azure Web Sites offering.

The list pertains to this line from the topic ...

The app attempts to detect its operational environment and handle key configuration on its own.

i.e., "detect[ion] ... [and] ... configuration [without dev attention]."

These statements are written from the app's/DP's perspective ... what the app can and can't do on its own for key management ... not from the developer's perspective. It isn't currently written as a list of all of the ways that key management can be handled; it's more like these first three are handled for you and the fourth isn't. The fourth covers cases where the app will lose its keys. The line immediately under the list refers directly to the overview, where PersistKeysToFileSystem is covered.

It could be re-written to address out-of-process providers, but my current understanding is that topics that describe KV and Redis won't be initiated until 2.1. We'd also need to bring in a sixth entry for custom key extensibility approaches (@blowdart, you may recall my RexHacks™️ to do key management with Azure Table Storage in ancient times! lol). We'd need a seventh entry for PersistKeysToFileSystem.

Below this, the documentation should provide code samples for configuration for the Startup.cs.

I kind'a doubt that would work well here. There will be a topic for each provider in the future, so I think the full topics would be better to address each configuration. Those could be linked here as See also topics.

To address what I can now, I'm adding a See also section to #4549 with a link to the key extensibility topic. I already added a line about Docker, and I'm adding another line that external providers are useful in web farm scenarios that also surfaces PersistKeysToFileSystem.

@joshbartley That won't get everything ur asking for; but when 2.1 comes around, yes, I think what you want will be added to the docs. Those new topics for the external providers will be well linked in here.

@joshbartley
Copy link
Author

Thanks @guardrex Expanding on the documentation will be good. I just know a few people on the enterprise side look at these docs for on-premise enterprise deployments and that causes some friction in adoption on those environments. I know it caused me some trouble trying to get something going when I didn't have a local Redis server available. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants