ASP.NET Data Protection Support

[cbeall]

As part the efforts with .NET Core, Microsoft has done work with key management and data protection. They've defined several interfaces for doing all of this. The documentation can be found here: https://docs.asp.net/en/latest/security/data-protection/index.html

The first 25 minutes of this presentation also provide a nice overview of how this works. https://vimeo.com/153102690

There would be many benefits for .NET applications on AWS to be able to leverage an implementation of IDataProtectionProvider that associated with KMS. One major benefit is it helps remove dependencies on the machine key being shared across instances of an application.

There is an implementation (I don't believe its "official") of an implementation for Azure here: https://github.com/GrabYourPitchforks/DataProtection.Azure/tree/dev

I was wondering if there are any plans to build this into the AWS .NET SDK, and if not, is there any guidance on alternative approaches?

[normj]

Sounds like a really cool idea. I'm reading through the docs to understand what it would mean to have an implementation with KMS.

[hotchkj]

It's similarly nothing 'official', but I have an existing implementation of this at https://github.com/hotchkj/AspNetCore.DataProtection.Aws

[normj]

Thanks for the link it is very interesting. Since the API for the IXmlRepository is get all and store a key and get all being the heavily used call I was thinking I would store all the keys in one object and have the store key conditionally write. That way get all only has to do one service call instead of the list and N number of get calls. For the store I would load the object, append the new key and write the object back to S3 with the condition check on the ETag from the load call. If that failed on the ETag then retry the logic. That would cover the case of somebody else writing to the file between the load and save.

[hotchkj]

Intriguing idea! I did not know S3 had a conditional PUT operation as you describe.

To play devil's advocate, the typical usage of DataProtection would have keys with expiry by default every 90 days, which probably isn't going to push S3 usage beyond a few hundred objects over the course of years of operation.

I was also pondering whether it was more efficient to cache the older XML entries (since they're encrypted if one is also using KMS) client-side, rather than solely a bulk fetch. Using a single S3 key for the entire set of keys makes caching a bit harder to implement. Then again, caching might not be necessary either, given that according to ASP.NET docs, the key ring is already cached and refreshed every 24 hours or when a key expires, so performance concerns may not be that significant.

[vellozzi]

This has been added to our feature request list at https://github.com/aws/aws-sdk-net/blob/master/FEATURE_REQUESTS.md

[niemyjski]

This would be awesome!

[normj]

@niemyjski This was implememnted the aws-ssm-data-protection-provider-for-aspnet repository.

[niemyjski]

Thanks for the followup I'll check it out. This would be a strong case for not closing issues for a feature request list of which doesn't appear to be updated.