Section 5 of 6

Data Protection API

🎯 What You'll Learn

  • What is Data Protection API
  • Encrypting and decrypting data
  • Time-limited protection
  • Purpose strings
  • Key management

What is Data Protection API?

The Data Protection API provides cryptographic APIs for protecting data. It's used internally by ASP.NET Core for cookies, anti-forgery tokens, and more.

Basic Usage

1. Inject IDataProtectionProvider

Controller C# 
public class SecureController : Controller
{
    private readonly IDataProtector _protector;

    public SecureController(IDataProtectionProvider provider)
    {
        _protector = provider.CreateProtector("InvenTrack.SecureData");
    }
}

2. Protect Data

Encrypt Data C# 
var plainText = "Sensitive information";
var encrypted = _protector.Protect(plainText);

// Store encrypted data

3. Unprotect Data

Decrypt Data C# 
try
{
    var decrypted = _protector.Unprotect(encrypted);
}
catch (CryptographicException)
{
    // Decryption failed - data tampered or wrong key
}

Time-Limited Protection

Protect data that expires after a time period.

Time-Limited Protector C# 
var timeLimitedProtector = _protector.ToTimeLimitedDataProtector();

// Protect with 1 hour expiration
var encrypted = timeLimitedProtector.Protect(plainText, TimeSpan.FromHours(1));

// Unprotect - fails if expired
try
{
    var decrypted = timeLimitedProtector.Unprotect(encrypted);
}
catch (CryptographicException)
{
    // Expired or tampered
}

Purpose Strings

Purpose strings isolate data - data protected with one purpose can't be unprotected with another.

Different Purposes C# 
var protector1 = provider.CreateProtector("Purpose1");
var protector2 = provider.CreateProtector("Purpose2");

var encrypted = protector1.Protect("data");

// This will fail!
var decrypted = protector2.Unprotect(encrypted); // CryptographicException

InvenTrack Example

Protect Product Serial Numbers C# 
public class ProductService
{
    private readonly IDataProtector _protector;

    public ProductService(IDataProtectionProvider provider)
    {
        _protector = provider.CreateProtector("InvenTrack.ProductSerials");
    }

    public string EncryptSerial(string serial)
    {
        return _protector.Protect(serial);
    }

    public string DecryptSerial(string encryptedSerial)
    {
        return _protector.Unprotect(encryptedSerial);
    }
}

Key Management

Keys are automatically managed and rotated. Configure key storage location:

Configure Key Storage C# 
builder.Services.AddDataProtection()
    .PersistKeysToFileSystem(new DirectoryInfo(@"C:\keys"))
    .SetApplicationName("InvenTrack");

Best Practices

  • Use purpose strings: Isolate different data types
  • Time-limited protection: For temporary data
  • Handle exceptions: Unprotect can throw CryptographicException
  • Key storage: Configure for production (Azure Key Vault, etc.)
  • Not for passwords: Use Identity's password hashing instead

Key Takeaways

  • Data Protection API: Encrypt/decrypt data
  • Protect(): Encrypt data
  • Unprotect(): Decrypt data
  • Purpose strings: Isolate data
  • Time-limited: Expiring protection
  • Automatic key management: Keys rotated automatically