Difference between Azure Key Vault and Data Protection APIs?

Question

I deploy Asp.Net Core web app and I need to build a storage for private keys of my clients (it is a lot of values). What should I use: Azure Key Vault or Data Protection APIs? The second seems more easy to programming, however there is information from docs:

The ASP.NET Core data protection APIs are not primarily intended for indefinite persistence of confidential payloads...

But I need to store keys long-term.

Answer 1

You should use Azure Key Vault to store your keys. The Data Protection API is always used in your application, for example it is used to encrypt and secure your session cookie.

But don't forget that you also do need to configure and store the data protection keys in a secure place. If you don't do it properly, then uses might be kicked out of your site when you redeploy.

See this document for more details:

• Key storage providers in ASP.NET Core

If you do want to store the Data Protection Key ring in AKZ, then check out my implementation here:

• Storing the ASP.NET Core Data Protection Key Ring in Azure Key Vault

Answer 2

If you're using the keys to protect data for long term storage, I would advise you to use Azure Key vault.

Azure Key vault is a high availability service designed for storage of secrets and keys. Keys and secrets are automatically copied to Key vault instances in multiple regions and easily backed up securely using PowerShell cmdlets. You can store them in an HSM if you are dealing with highly sensitive data.

The Data Protection APIs are more designed to protect local or ephemeral data.