Skip to content

PersistKeysToAzureBlobStorage: 'Unable to retrieve the decryption key.' #32592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
peterbomers opened this issue Nov 21, 2022 · 5 comments
Closed

PersistKeysToAzureBlobStorage: 'Unable to retrieve the decryption key.' #32592

peterbomers opened this issue Nov 21, 2022 · 5 comments
Assignees
@JoshLove-msft
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. Extensions ASP.NET Core extensions needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@peterbomers
Copy link

peterbomers commented Nov 21, 2022
edited
Loading

Azure.Extensions.AspNetCore.DataProtection.Blobs 1.2.1

We're using the ASP.NET Core Data Protection feature in a production environment with multiple instances and deployment slots.
Last week, after a deployment and a key rotation (default every 90 days) the Data Protection feature was no longer able to decrypt data from our database. It kept throwing CryptographicException: 'Unable to retrieve the decryption key.' and we lost fital information.

Our code setup looks like this:

services.AddDataProtection()
        .PersistKeysToAzureBlobStorage(options.BlobStorage, "data-protection", "keys.xml")
        .ProtectKeysWithCertificate(keyVault.GetCertificate("data-protection"));

During deployment (application startup) we saw ClientOtherError in the blob storage montoring.
The problem started after this deployment and keys file on the blob storage now contains weird entries.
Especially the creation, activation and expiration dates are strange. Below the last 3 entries. (total file size = 67kb)

<?xml version="1.0" encoding="utf-8"?>
<repository>
    <key id="d7720961-removed" version="1">
        <creationDate>2022-07-26T15:58:04.9292928Z</creationDate>
        <activationDate>2022-07-28T15:34:11.4371143Z</activationDate>
        <expirationDate>2022-10-24T15:58:04.907673Z</expirationDate>
        <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
            <descriptor>
                <encryption algorithm="AES_256_CBC" />
                <validation algorithm="HMACSHA256" />
                <encryptedSecret decryptorType="Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60"
                    xmlns="http://schemas.asp.net/2015/03/dataProtection">
                    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                        xmlns="http://www.w3.org/2001/04/xmlenc#">
                        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                            <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                    <X509Data>
                                        <X509Certificate>removed</X509Certificate>
                                    </X509Data>
                                </KeyInfo>
                                <CipherData>
                                    <CipherValue>removed</CipherValue>
                                </CipherData>
                            </EncryptedKey>
                        </KeyInfo>
                        <CipherData>
                            <CipherValue>removed</CipherValue>
                        </CipherData>
                    </EncryptedData>
                </encryptedSecret>
            </descriptor>
        </descriptor>
    </key>
    <key id="a04a75a1-removed" version="1">
        <creationDate>2022-10-23T03:32:59.4371134Z</creationDate>
        <activationDate>2022-10-24T15:58:04.907673Z</activationDate>
        <expirationDate>2023-01-21T03:32:59.3917697Z</expirationDate>
        <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
            <descriptor>
                <encryption algorithm="AES_256_CBC" />
                <validation algorithm="HMACSHA256" />
                <encryptedSecret decryptorType="Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60"
                    xmlns="http://schemas.asp.net/2015/03/dataProtection">
                    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                        xmlns="http://www.w3.org/2001/04/xmlenc#">
                        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                            <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                    <X509Data>
                                        <X509Certificate>removed</X509Certificate>
                                    </X509Data>
                                </KeyInfo>
                                <CipherData>
                                    <CipherValue>removed</CipherValue>
                                </CipherData>
                            </EncryptedKey>
                        </KeyInfo>
                        <CipherData>
                            <CipherValue>removed</CipherValue>
                        </CipherData>
                    </EncryptedData>
                </encryptedSecret>
            </descriptor>
        </descriptor>
    </key>
    <key id="2de0efd7-removed" version="1">
        <creationDate>2022-11-17T09:35:54.6857467Z</creationDate>
        <activationDate>2022-11-17T09:35:54.3656624Z</activationDate>
        <expirationDate>2023-02-15T09:35:54.3656624Z</expirationDate>
        <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
            <descriptor>
                <encryption algorithm="AES_256_CBC" />
                <validation algorithm="HMACSHA256" />
                <encryptedSecret decryptorType="Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60"
                    xmlns="http://schemas.asp.net/2015/03/dataProtection">
                    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                        xmlns="http://www.w3.org/2001/04/xmlenc#">
                        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                            <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                    <X509Data>
                                        <X509Certificate>removed</X509Certificate>
                                    </X509Data>
                                </KeyInfo>
                                <CipherData>
                                    <CipherValue>removed</CipherValue>
                                </CipherData>
                            </EncryptedKey>
                        </KeyInfo>
                        <CipherData>
                            <CipherValue>removed</CipherValue>
                        </CipherData>
                    </EncryptedData>
                </encryptedSecret>
            </descriptor>
        </descriptor>
    </key>
</repository>

Our demand on the Data Protection feature is high and I suspect that the AzureBlobXmlRepository can't handle rotation very well in an environment with many concurrent requests.
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 21, 2022
@azure-sdk
Copy link
Collaborator

Label prediction was below confidence level 0.6 for Model:ServiceLabels: 'Storage:0.50965524,Service Bus:0.027342962,Search:0.025486905'

@jsquire jsquire added Client This issue points to a problem in the data-plane of the library. Extensions ASP.NET Core extensions needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Nov 21, 2022
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Nov 21, 2022
@jsquire
Copy link
Member

jsquire commented Nov 21, 2022

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@JoshLove-msft
Copy link
Member

Hi @peterbomers, apologies for the delay. Do you happen to have a stack trace demonstrating the exception?

@JoshLove-msft JoshLove-msft added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Jul 25, 2023
@github-actions github-actions bot removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Jul 25, 2023
@github-actions
Copy link

Hi @peterbomers. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@github-actions
Copy link

github-actions bot commented Aug 1, 2023

Hi @peterbomers, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@github-actions github-actions bot added the no-recent-activity There has been no recent activity on this issue. label Aug 1, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 16, 2023
@peterbomers peterbomers mentioned this issue Sep 8, 2023
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Dec 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@JoshLove-msft JoshLove-msft

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. Extensions ASP.NET Core extensions needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsquire @peterbomers @azure-sdk @JoshLove-msft