Data Protection Key Generation Race

[amcasey]

Data Protection normally generates a new key 48 hours before the current default key expires, so that all instances will refresh their keyrings before it is adopted. However, there's a corner case where the app isn't running at that time and an activated key is required immediately, in which case a key is generated with activation time equal(ish) to creation time. If multiple instances do this at the same time, it's possible for whichever publishes first to fail to observe the keys generated by other instances (even in the absence of clock skew), resulting in one or more instances being unable to decrypt data from other instances.

Idea: When an immediately-active key is generated, arrange to resync the keyring a few minutes later to heal.
Idea: Allow users to increase the 48 hour window to account for services that are (largely) inactive on weekends.

Extracted from #52561

Thanks for contacting us.

We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.