'The key was not found in the key ring

I have a netcoreapp3.1 application deployed to on-prem IIS instances using the .NET Core Hosting Bundle. Because the app is deployed to 2 load balanced servers we are using Data Protection Key management - seen in the last line here:

public class Startup
{
    private readonly IConfiguration _config;
    private readonly AppSettings _appSettings;

    public Startup(IConfiguration config)
    {
        _config = config;
        _appSettings = _config.Get<AppSettings>();
    }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<CookiePolicyOptions>(options =>
        {
            options.CheckConsentNeeded = context => false;

            options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
            options.OnAppendCookie = cookieContext => cookieContext.CookieOptions.SameSite = SameSiteMode.Unspecified;
            options.OnDeleteCookie = cookieContext => cookieContext.CookieOptions.SameSite = SameSiteMode.Unspecified;
        });

        services.Configure<AppSettings>(_config);

        ...
        
        services.AddControllers();
        
        ...

        services.UseGroupPolicies(_appSettings);
        services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(_appSettings.SharedFolderPath));
    }

For a long time this was running just fine but I've recently noticed that the application is logging a lot of these errors:

The key {<GUID>} was not found in the key ring.

With this stack trace:

System.Security.Cryptography.CryptographicException:
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore (Microsoft.AspNetCore.DataProtection, Version=3.1.9.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect (Microsoft.AspNetCore.DataProtection, Version=3.1.9.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect (Microsoft.AspNetCore.DataProtection, Version=3.1.9.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
   at Microsoft.AspNetCore.Session.CookieProtection.Unprotect (Microsoft.AspNetCore.Session, Version=3.1.9.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)

The two servers have a shared folder which allows them to share the data protection key file. This folder continues to have the appropriate permissions assigned and is not logging any issues with access to it.

What data is the application actually encrypting with these keys and how can I expunge any data encrypted with keys no longer in the key ring?

security.net-coreiis-7


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application