cloudscribe Core uses encryption to protect certain sensitive values stored in the database, such as SMTP passwords and social authentication secrets. It also relies on encryption to secure authentication cookies for logged-in users.
This encryption is provided by the ASP.NET Core Data Protection API.
To ensure encrypted data can always be decrypted, the application must use persistent data protection keys. If these keys are lost or changed, encrypted settings and authentication cookies will become invalid, and users may be required to sign in again.
Default (Recommended) Setup – IIS Hosting
For most IIS-hosted ASP.NET Core applications, no special configuration is required.
Simply ensure the following line is present during application startup:
services.AddDataProtection();
When used without any additional configuration, ASP.NET Core automatically:
- Creates and manages encryption keys for you
- Stores them securely on disk
- Protects them using Windows DPAPI
- Keeps them isolated to the application’s IIS application pool
Where are the keys stored?
By default, the keys are stored under the application pool’s user profile, typically in:
C:\Users\<AppPoolIdentity>\AppData\Local\ASP.NET\DataProtection-Keys
These keys:
- Persist across application restarts and IIS app pool recycling
- Allow encrypted settings and login cookies to continue working
- Are isolated per application pool for security
For a single IIS deployment, this default behaviour is sufficient and recommended.
Important Notes
- Each IIS application pool has its own set of keys
- If the application is redeployed using the same app pool, existing encrypted data will continue to work
- Users will not be logged out when the application restarts
Advanced Scenarios (Optional)
In more complex environments — such as web farms, load-balanced deployments, containers, or when multiple applications need to share authentication cookies — the default key storage may not be sufficient.
In these cases, ASP.NET Core allows you to explicitly configure where keys are stored, for example:
- A shared file system
- A database
- The Windows registry
These options require additional configuration and are only needed for advanced hosting scenarios.
Azure
For Azure hosting, you can store the keys in either blob storage or redis, see the official documentation here.
