Data Protection Key Generation Race

[amcasey]

Data Protection normally generates a new key 48 hours before the current default key expires, so that all instances will refresh their keyrings before it is adopted. However, there's a corner case where the app isn't running at that time and an activated key is required immediately, in which case a key is generated with activation time equal(ish) to creation time. If multiple instances do this at the same time, it's possible for whichever publishes first to fail to observe the keys generated by other instances (even in the absence of clock skew), resulting in one or more instances being unable to decrypt data from other instances.

Idea: When an immediately-active key is generated, arrange to resync the keyring a few minutes later to heal.
Idea: Allow users to increase the 48 hour window to account for services that are (largely) inactive on weekends.

Extracted from #52561

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[amcasey]

To actually achieve consensus among app instances, instances would have to know how many peers they have, which they don't.

Another approach might be to associate an insertion order with each key ring entry for consistent tie-breaking across instances. Unfortunately, that would require a format change, which has its own drawbacks.

Currently, the main mitigation is the 2 minutes window after app startup during which cache misses trigger a cache refresh, which is reasonably effective, in practice.

[MichaelRomer]

We also noticed this issue within our business application which is running in a multi-replica Kubernetes context with encryption keys persisted in a database. The requests are distributed in a round robin manner and therefore it is quite common that multiple instances require a new key at ~ the same time after a few days of inactivity (weekend).

In our case the issue disrupts the OIDC login flow because the OIDC message state can only be decrypted by the instance that created the message originally.

[amcasey]

One possible mitigation, if your app is inactive weekends, would be to increase the key lifetime from 90 days to 91 days (divisible by 7) and then kick off key generation on (say) Thursday, so that refreshes consistently happen on Monday or Tuesday (depending on your dotnet version and some fudge factors).

[MichaelRomer]

We also considered that mitigation. However, as we are running multiple environments this has to be considered also when deploying to new environments. Besides that we try to reduce the number manual ops processes as much as possible. Therefore, we decided to try out another mitigation: using a healthcheck.

we already had a healthcheck in place which tries on startup if encryption works using the DataProtectionAPI (could fail due to misconfiguration of the certificate files). Now we are running this healtcheck regularly (each 24 hours). This should trigger the key refresh on weekend as well. However, we are still testing this approach.

[amcasey]

Besides that we try to reduce the number manual ops processes as much as possible

Can you elaborate? I was thinking of this (which I'm not, incidentally, claiming is a particularly good mitigation) as a one-time code change. Is there an ongoing cost I hadn't considered?

Now we are running this healtcheck regularly (each 24 hours)

Calling Protect at least once every 24 hours should suffice to trigger key re-generation at an appropriate time so that you don't end up with instances racing to make immediately-activated keys.

[MichaelRomer]

Can you elaborate? I was thinking of this (which I'm not, incidentally, claiming is a particularly good mitigation) as a one-time code change. Is there an ongoing cost I hadn't considered?

I tought about the "kick off key generation on a certain day" part. Not really ongoing costs but a "manual" step/consideration that could be easily missed on setup of new environments.

Calling Protect at least once every 24 hours should suffice to trigger key re-generation at an appropriate time so that you don't end up with instances racing to make immediately-activated keys.

This was our assumption why the healthcheck should be a suitable workaround. Thanks for the confirmation!

[amcasey]

I'm going to close this issue. Please post additional feedback in #36157 so we can track it centrally and don't drop any.