StuFrankish
commented
1 month ago When you add ProtectKeysWithCertificate, the Data Protection system will begin encrypting new keys with the certificate (as you've seen). Existing keys, whether unprotected or protected differently, will continue to remain in the key ring.
As each key in the Data Protection key ring is independent and carries it's own encryption settings, adding ProtectKeysWithCertificate should not invalidate your existing unprotected keys - they should continue tofunction alongside the new encrypted keys without any issues.
There's some useful info here if you want a read - Configure ASP.NET Core Data Protection As always with things like this, I would highly recommend testing these sorts of changes prior to deploying to production if at all possible.
billcunnien
RolandGuijt
Duende.IdentityServer 7.0.6 .NET 8
Regarding DataProtection, if I add ProtectKeysWithCertificate to an existing PersistKeysToFileSystem folder with several unprotected keys already in use, will the older keys still work?
When I run the server in my local environment, it appears that a new encrypted key is generated (nice!). I assume that will happen in our production environment. But, I still need the older keys to work since there are things flying around out there in the wild that I will still need to support.
Thanks!! Bill