skip to Main Content


Say hello to the toggle bar. This is an optional section you can use to display any content you'd like. Simply select a page from the theme panel and the content of the page will display here. You can even use the drag and drop builder to create this! This is a perfect place for your company mission statement, alerts, notices or anything else.

Get In Touch

Phone: 1-800-Total-Theme
Address: Las Vegas, Nevada

Our Location


[Security] Key Management (Implement topic)

Post Series: ASP.NET Core Security

The data protection system automatically manages the lifetime of master keys used to protect and unprotect payloads

4 stages: Created, Active, Expired, Revoked

Default key:  data protection system chooses the key with the most recent activation date

Generated key: If the key is expired or revoked, and if the application has not disabled automatic key generation, then a new key will be generated  with immediate activation per the key expiration and rolling policy below

Disabled automatic key generation: system choose default key, non-revoked key, expired default key as a result

System never choose revoked key as the default key

Key ring is empty and every key has been revoked => error initializatin


Key expiration and rolling:

  • delay now  + 2 days before active
  • Expiration after now + 90 days
  • Generate before 2 days: If default key expired within 2 days +  key ring does not have key that be active on expiration of default key => automatically persist new key with
    •  activation date = default key’s expiration
    • Expiration date = now + 90 days
  • Generate immediate: all in key ring are expired
    • Activation date = now (without delay 2 days)
    • Expiration date = now  + 90 days
  • Configuration SetDefaultKeyLifetime larger than 7 days

Automatic keyring refresh

  • System initical => Cache key ring in memory
  • System automatically check backing store every 24 hours or default key expires
  • Example….

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top