AspNetCore.Docs/aspnetcore/security/data-protection/configuration/machine-wide-policy.md

---
title: Data Protection machine-wide policy support in ASP.NET Core
author: rick-anderson
description: Learn about support for setting a default machine-wide policy for all apps that consume ASP.NET Core Data Protection.
ms.author: riande
ms.date: 10/14/2016
uid: security/data-protection/configuration/machine-wide-policy
---
# Data Protection machine-wide policy support in ASP.NET Core

By [Rick Anderson](https://twitter.com/RickAndMSFT)

When running on Windows, the Data Protection system has limited support for setting a default machine-wide policy for all apps that consume ASP.NET Core Data Protection. The general idea is that an administrator might wish to change a default setting, such as the algorithms used or key lifetime, without the need to manually update every app on the machine.

> [!WARNING]
> The system administrator can set default policy, but they can't enforce it. The app developer can always override any value with one of their own choosing. The default policy only affects apps where the developer hasn't specified an explicit value for a setting.

## Setting default policy

To set default policy, an administrator can set known values in the system registry under the following registry key:

**HKLM\SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection**

If you're on a 64-bit operating system and want to affect the behavior of 32-bit apps, remember to configure the Wow6432Node equivalent of the above key.

The supported values are shown below.

| Value              | Type   | Description |
| ------------------ | :----: | ----------- |
| EncryptionType     | string | Specifies which algorithms should be used for data protection. The value must be CNG-CBC, CNG-GCM, or Managed and is described in more detail below. |
| DefaultKeyLifetime | DWORD  | Specifies the lifetime for newly-generated keys. The value is specified in days and must be >= 7. |
| KeyEscrowSinks     | string | Specifies the types that are used for key escrow. The value is a semicolon-delimited list of key escrow sinks, where each element in the list is the assembly-qualified name of a type that implements [IKeyEscrowSink](/dotnet/api/microsoft.aspnetcore.dataprotection.keymanagement.ikeyescrowsink). |

## Encryption types

If EncryptionType is CNG-CBC, the system is configured to use a CBC-mode symmetric block cipher for confidentiality and HMAC for authenticity with services provided by Windows CNG (see [Specifying custom Windows CNG algorithms](xref:security/data-protection/configuration/overview#specifying-custom-windows-cng-algorithms) for more details). The following additional values are supported, each of which corresponds to a property on the CngCbcAuthenticatedEncryptionSettings type.

| Value                       | Type   | Description |
| --------------------------- | :----: | ----------- |
| EncryptionAlgorithm         | string | The name of a symmetric block cipher algorithm understood by CNG. This algorithm is opened in CBC mode. |
| EncryptionAlgorithmProvider | string | The name of the CNG provider implementation that can produce the algorithm EncryptionAlgorithm. |
| EncryptionAlgorithmKeySize  | DWORD  | The length (in bits) of the key to derive for the symmetric block cipher algorithm. |
| HashAlgorithm               | string | The name of a hash algorithm understood by CNG. This algorithm is opened in HMAC mode. |
| HashAlgorithmProvider       | string | The name of the CNG provider implementation that can produce the algorithm HashAlgorithm. |

If EncryptionType is CNG-GCM, the system is configured to use a Galois/Counter Mode symmetric block cipher for confidentiality and authenticity with services provided by Windows CNG (see [Specifying custom Windows CNG algorithms](xref:security/data-protection/configuration/overview#specifying-custom-windows-cng-algorithms) for more details). The following additional values are supported, each of which corresponds to a property on the CngGcmAuthenticatedEncryptionSettings type.

| Value                       | Type   | Description |
| --------------------------- | :----: | ----------- |
| EncryptionAlgorithm         | string | The name of a symmetric block cipher algorithm understood by CNG. This algorithm is opened in Galois/Counter Mode. |
| EncryptionAlgorithmProvider | string | The name of the CNG provider implementation that can produce the algorithm EncryptionAlgorithm. |
| EncryptionAlgorithmKeySize  | DWORD  | The length (in bits) of the key to derive for the symmetric block cipher algorithm. |

If EncryptionType is Managed, the system is configured to use a managed SymmetricAlgorithm for confidentiality and KeyedHashAlgorithm for authenticity (see [Specifying custom managed algorithms](xref:security/data-protection/configuration/overview#specifying-custom-managed-algorithms) for more details). The following additional values are supported, each of which corresponds to a property on the ManagedAuthenticatedEncryptionSettings type.

| Value                      | Type   | Description |
| -------------------------- | :----: | ----------- |
| EncryptionAlgorithmType    | string | The assembly-qualified name of a type that implements SymmetricAlgorithm. |
| EncryptionAlgorithmKeySize | DWORD  | The length (in bits) of the key to derive for the symmetric encryption algorithm. |
| ValidationAlgorithmType    | string | The assembly-qualified name of a type that implements KeyedHashAlgorithm. |

If EncryptionType has any other value other than null or empty, the Data Protection system throws an exception at startup.

> [!WARNING]
> When configuring a default policy setting that involves type names (EncryptionAlgorithmType, ValidationAlgorithmType, KeyEscrowSinks), the types must be available to the app. This means that for apps running on Desktop CLR, the assemblies that contain these types should be present in the Global Assembly Cache (GAC). For ASP.NET Core apps running on .NET Core, the packages that contain these types should be installed.
Removed U+FEFF (#2073) * Removed U+FEFF * Removed leading FEFF * Update bootstrap.md * Update bundling-and-minification.md * Update knockout.md * Update using-grunt.md * Update yeoman.md * Update style-guide.md * Update error-handling.md * Update localization.md * Update middleware.md * Update validation.md * Update overview.md * Update view-components.md * Update iis-with-msdeploy.md * Update iis.md * Update web-publishing-vs.md * Update sociallogins.md * Update cors.md * Update machine-wide-policy.md * Update cross-site-scripting.md * Update overview.md * Update limited-lifetime-payloads.md * Update overview.md * Update password-hashing.md * Update key-encryption-at-rest.md * Update adding-model.md * Update new-field.md * Update validation.md * Update nano-server.md * Update your-first-mac-aspnet.md 2016-11-03 01:17:24 +08:00			`---`
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`title: Data Protection machine-wide policy support in ASP.NET Core`
Add docfx content 2016-10-29 01:35:15 +08:00			`author: rick-anderson`
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`description: Learn about support for setting a default machine-wide policy for all apps that consume ASP.NET Core Data Protection.`
Organize metadata (#5296) Updates 2018-01-29 23:21:31 +08:00			`ms.author: riande`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.date: 10/14/2016`
Removed U+FEFF (#2073) * Removed U+FEFF * Removed leading FEFF * Update bootstrap.md * Update bundling-and-minification.md * Update knockout.md * Update using-grunt.md * Update yeoman.md * Update style-guide.md * Update error-handling.md * Update localization.md * Update middleware.md * Update validation.md * Update overview.md * Update view-components.md * Update iis-with-msdeploy.md * Update iis.md * Update web-publishing-vs.md * Update sociallogins.md * Update cors.md * Update machine-wide-policy.md * Update cross-site-scripting.md * Update overview.md * Update limited-lifetime-payloads.md * Update overview.md * Update password-hashing.md * Update key-encryption-at-rest.md * Update adding-model.md * Update new-field.md * Update validation.md * Update nano-server.md * Update your-first-mac-aspnet.md 2016-11-03 01:17:24 +08:00			`uid: security/data-protection/configuration/machine-wide-policy`
Add docfx content 2016-10-29 01:35:15 +08:00			`---`
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`# Data Protection machine-wide policy support in ASP.NET Core`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`By [Rick Anderson](https://twitter.com/RickAndMSFT)`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`When running on Windows, the Data Protection system has limited support for setting a default machine-wide policy for all apps that consume ASP.NET Core Data Protection. The general idea is that an administrator might wish to change a default setting, such as the algorithms used or key lifetime, without the need to manually update every app on the machine.`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`> [!WARNING]`
			`> The system administrator can set default policy, but they can't enforce it. The app developer can always override any value with one of their own choosing. The default policy only affects apps where the developer hasn't specified an explicit value for a setting.`
Add docfx content 2016-10-29 01:35:15 +08:00
			`## Setting default policy`

security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`To set default policy, an administrator can set known values in the system registry under the following registry key:`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`HKLM\SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`If you're on a 64-bit operating system and want to affect the behavior of 32-bit apps, remember to configure the Wow6432Node equivalent of the above key.`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`The supported values are shown below.`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`\| Value \| Type \| Description \|`
			`\| ------------------ \| :----: \| ----------- \|`
			`\| EncryptionType \| string \| Specifies which algorithms should be used for data protection. The value must be CNG-CBC, CNG-GCM, or Managed and is described in more detail below. \|`
			`\| DefaultKeyLifetime \| DWORD \| Specifies the lifetime for newly-generated keys. The value is specified in days and must be >= 7. \|`
			`\| KeyEscrowSinks \| string \| Specifies the types that are used for key escrow. The value is a semicolon-delimited list of key escrow sinks, where each element in the list is the assembly-qualified name of a type that implements [IKeyEscrowSink](/dotnet/api/microsoft.aspnetcore.dataprotection.keymanagement.ikeyescrowsink). \|`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`## Encryption types`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`If EncryptionType is CNG-CBC, the system is configured to use a CBC-mode symmetric block cipher for confidentiality and HMAC for authenticity with services provided by Windows CNG (see [Specifying custom Windows CNG algorithms](xref:security/data-protection/configuration/overview#specifying-custom-windows-cng-algorithms) for more details). The following additional values are supported, each of which corresponds to a property on the CngCbcAuthenticatedEncryptionSettings type.`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`\| Value \| Type \| Description \|`
			`\| --------------------------- \| :----: \| ----------- \|`
			`\| EncryptionAlgorithm \| string \| The name of a symmetric block cipher algorithm understood by CNG. This algorithm is opened in CBC mode. \|`
			`\| EncryptionAlgorithmProvider \| string \| The name of the CNG provider implementation that can produce the algorithm EncryptionAlgorithm. \|`
			`\| EncryptionAlgorithmKeySize \| DWORD \| The length (in bits) of the key to derive for the symmetric block cipher algorithm. \|`
			`\| HashAlgorithm \| string \| The name of a hash algorithm understood by CNG. This algorithm is opened in HMAC mode. \|`
			`\| HashAlgorithmProvider \| string \| The name of the CNG provider implementation that can produce the algorithm HashAlgorithm. \|`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`If EncryptionType is CNG-GCM, the system is configured to use a Galois/Counter Mode symmetric block cipher for confidentiality and authenticity with services provided by Windows CNG (see [Specifying custom Windows CNG algorithms](xref:security/data-protection/configuration/overview#specifying-custom-windows-cng-algorithms) for more details). The following additional values are supported, each of which corresponds to a property on the CngGcmAuthenticatedEncryptionSettings type.`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`\| Value \| Type \| Description \|`
			`\| --------------------------- \| :----: \| ----------- \|`
			`\| EncryptionAlgorithm \| string \| The name of a symmetric block cipher algorithm understood by CNG. This algorithm is opened in Galois/Counter Mode. \|`
			`\| EncryptionAlgorithmProvider \| string \| The name of the CNG provider implementation that can produce the algorithm EncryptionAlgorithm. \|`
			`\| EncryptionAlgorithmKeySize \| DWORD \| The length (in bits) of the key to derive for the symmetric block cipher algorithm. \|`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`If EncryptionType is Managed, the system is configured to use a managed SymmetricAlgorithm for confidentiality and KeyedHashAlgorithm for authenticity (see [Specifying custom managed algorithms](xref:security/data-protection/configuration/overview#specifying-custom-managed-algorithms) for more details). The following additional values are supported, each of which corresponds to a property on the ManagedAuthenticatedEncryptionSettings type.`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`\| Value \| Type \| Description \|`
			`\| -------------------------- \| :----: \| ----------- \|`
			`\| EncryptionAlgorithmType \| string \| The assembly-qualified name of a type that implements SymmetricAlgorithm. \|`
			`\| EncryptionAlgorithmKeySize \| DWORD \| The length (in bits) of the key to derive for the symmetric encryption algorithm. \|`
			`\| ValidationAlgorithmType \| string \| The assembly-qualified name of a type that implements KeyedHashAlgorithm. \|`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`If EncryptionType has any other value other than null or empty, the Data Protection system throws an exception at startup.`
Add docfx content 2016-10-29 01:35:15 +08:00
security/data-protection/configuration updates (#4549) * Security/DP/Configuration updates Updates Update bookmarks Updates * Revert anchor additions * Update * Drop lib from sample * React to feedback 2017-10-21 04:15:26 +08:00			`> [!WARNING]`
Prereqs tuneup (#5721) Updates 2018-03-20 12:04:00 +08:00			`> When configuring a default policy setting that involves type names (EncryptionAlgorithmType, ValidationAlgorithmType, KeyEscrowSinks), the types must be available to the app. This means that for apps running on Desktop CLR, the assemblies that contain these types should be present in the Global Assembly Cache (GAC). For ASP.NET Core apps running on .NET Core, the packages that contain these types should be installed.`