Azure Key Vault Key Encryptor for Microsoft.AspNetCore.DataProtection

The Azure.Extensions.AspNetCore.DataProtection.Keys package allows protecting keys at rest using Azure Key Vault Key Encryption/Wrapping feature.

Getting started

Install the package

Install the package with NuGet:

dotnet add package Azure.Extensions.AspNetCore.DataProtection.Keys


You need an Azure subscription, Key Vault and a Key to use this package.

To create a new Key Vault, you can use the Azure Portal, Azure PowerShell, or the Azure CLI. Here's an example using the Azure CLI:

az keyvault create --name MyVault --resource-group MyResourceGroup --location westus
az keyvault key create --name MyKey --vault-name MyVault

# give write access to a service principal (application)
az keyvault set-policy -n MyVault --object-id <application_id> --key-permissions get unwrapKey wrapKey

Key concepts

Thread safety

We guarantee that all client instance methods are thread-safe and independent of each other (guideline). This ensures that the recommendation of reusing client instances is always safe, even across threads.

Additional concepts

Client options | Accessing the response | Long-running operations | Handling failures | Diagnostics | Mocking | Client lifetime


To protect keys using Azure Key Vault Key, configure the system with ProtectKeysWithAzureKeyVault when configuring the services:

public void ConfigureServices(IServiceCollection services)
        .ProtectKeysWithAzureKeyVault(new Uri("<Key-ID>"), new DefaultAzureCredential());

The Azure Identity library provides easy Azure Active Directory support for authentication.

Next steps

Read more about DataProtection in ASP.NET Core.


This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact with any additional questions or comments.