API和PersistKeysToFileSystem加密的敏感

API和PersistKeysToFileSystem加密的敏感

本文介绍了存储使用Data Protection API和PersistKeysToFileSystem加密的敏感数据的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

伙计们,我需要将一些字符串数据从MVC Core 2.0应用程序加密到SQL数据库中.我正在考虑将Data Protection API与PersistKeysToFileSystem一起使用,以便可以将数据还原到另一台服务器并使用相同的密钥文件解密数据.Net Core的DPAPI的性能给我留下了深刻的印象,我也不希望使用任何自定义的加密解决方案,因为它风险太大.我将大量数据上传到SQL.加密前的字符串不得超过200个字符.

Folks,I need to encrypt some string data into a SQL database from and MVC Core 2.0 application.I'm thinking of using the Data Protection API with PersistKeysToFileSystem so that I can restore the data to another server and decrypt the data using the same key file.I am impressed with the performance of the DPAPI in Net core and I don't want to fo for any custom crypto solution as its too risky. I would be storing bulk uploads of data to SQL. Strings before encryption would be 200 chars or less.

我认为DPAPI被认为更适合加密小块数据,例如密码,而不是sql批量操作.人们是否认为使用DPAPI将数据加密到数据库中是一个很好的用例?

I believe that DPAPI is considered more suited to encrypting small pieces of data e.g. passwords as opposed sql bulk operations. Do folks consider using DPAPI to encrypt data into a database a good use case?

推荐答案

Data Protection API不一定仅适用于小数据,但适用于相对短暂的数据.换句话说,它并不是真正用于长期加密/解密.密钥将在某个时间循环,并且保留旧密钥以允许过渡到新密钥,但您不应真正依赖于此.

The Data Protection API is not necessarily only for small pieces of data, but it is meant for relatively transient data. In other words, it's not really intended to be used to encrypt/decrypt long-term. The keys will be cycled at some point, and while old keys are kept around to allow for transition to new keys, you should not really rely on that.

根据文档:

它的确表明您可以根据需要执行此操作.但是,如果您可能正在使用已撤销的密钥,则必须以不同的方式处理事情.上面的文档链接详细介绍了所有内容.但是,请记住,由于要显式地允许使用已撤销的密钥来解密数据,因此您固有地在以较低的安全性对数据进行操作.

It does go on to say that you can do so if you desire, though. However, things have to be handled in a different way if you might potentially be working with revoked keys. The documentation link above goes into all the detail on that. However, bear in mind that you're inherently operating on your data in a less secure way, since you're explicitly allowing revoked keys to be used to decrypt data.

这篇关于存储使用Data Protection API和PersistKeysToFileSystem加密的敏感数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-05 15:43