AspNetCore.Docs/aspnetcore/security/data-protection/using-data-protection.md

---
title: Get started with the Data Protection APIs in ASP.NET Core
author: rick-anderson
description: Learn how to use the ASP.NET Core data protection APIs for protecting and unprotecting data in an app.
manager: wpickett
ms.author: riande
ms.date: 10/14/2016
ms.prod: asp.net-core
ms.technology: aspnet
ms.topic: article
uid: security/data-protection/using-data-protection
---
# Get started with the Data Protection APIs in ASP.NET Core

<a name="security-data-protection-getting-started"></a>

At its simplest, protecting data consists of the following steps:

1. Create a data protector from a data protection provider.

2. Call the `Protect` method with the data you want to protect.

3. Call the `Unprotect` method with the data you want to turn back into plain text.

Most frameworks and app models, such as ASP.NET or SignalR, already configure the data protection system and add it to a service container you access via dependency injection. The following sample demonstrates configuring a service container for dependency injection and registering the data protection stack, receiving the data protection provider via DI, creating a protector and protecting then unprotecting data

[!code-csharp[](../../security/data-protection/using-data-protection/samples/protectunprotect.cs?highlight=26,34,35,36,37,38,39,40)]

When you create a protector you must provide one or more [Purpose Strings](xref:security/data-protection/consumer-apis/purpose-strings). A purpose string provides isolation between consumers. For example, a protector created with a purpose string of "green" wouldn't be able to unprotect data provided by a protector with a purpose of "purple".

>[!TIP]
> Instances of `IDataProtectionProvider` and `IDataProtector` are thread-safe for multiple callers. It's intended that once a component gets a reference to an `IDataProtector` via a call to `CreateProtector`, it will use that reference for multiple calls to `Protect` and `Unprotect`.
>
>A call to `Unprotect` will throw CryptographicException if the protected payload cannot be verified or deciphered. Some components may wish to ignore errors during unprotect operations; a component which reads authentication cookies might handle this error and treat the request as if it had no cookie at all rather than fail the request outright. Components which want this behavior should specifically catch CryptographicException instead of swallowing all exceptions.
Add docfx content 2016-10-29 01:35:15 +08:00			`---`
Title, description, and H1 updates (3) (#5717) 2018-03-20 07:40:34 +08:00			`title: Get started with the Data Protection APIs in ASP.NET Core`
Add docfx content 2016-10-29 01:35:15 +08:00			`author: rick-anderson`
Title, description, and H1 updates (3) (#5717) 2018-03-20 07:40:34 +08:00			`description: Learn how to use the ASP.NET Core data protection APIs for protecting and unprotecting data in an app.`
Add docfx content 2016-10-29 01:35:15 +08:00			`manager: wpickett`
Organize metadata (#5296) Updates 2018-01-29 23:21:31 +08:00			`ms.author: riande`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.date: 10/14/2016`
Bulk metadata fix (#2871) * meta data fix * Revert "meta data fix" This reverts commit ba3688347667594a0967b08196cbb5308500a217. * meta data fix2 * test * Update owin-oauth-20-authorization-server.md * Update api-ref.md * Update api-ref.md * test * test2 2017-03-03 08:50:36 +08:00			`ms.prod: asp.net-core`
Organize metadata (#5296) Updates 2018-01-29 23:21:31 +08:00			`ms.technology: aspnet`
			`ms.topic: article`
Add docfx content 2016-10-29 01:35:15 +08:00			`uid: security/data-protection/using-data-protection`
			`---`
Title, description, and H1 updates (3) (#5717) 2018-03-20 07:40:34 +08:00			`# Get started with the Data Protection APIs in ASP.NET Core`
Add docfx content 2016-10-29 01:35:15 +08:00
Fix invalid bookmarks (#4570) 2017-10-14 04:50:30 +08:00			`<a name="security-data-protection-getting-started"></a>`
Add docfx content 2016-10-29 01:35:15 +08:00
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			`At its simplest, protecting data consists of the following steps:`
Add docfx content 2016-10-29 01:35:15 +08:00
			`1. Create a data protector from a data protection provider.`

Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			2. Call the `Protect` method with the data you want to protect.
Add docfx content 2016-10-29 01:35:15 +08:00
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			3. Call the `Unprotect` method with the data you want to turn back into plain text.
Add docfx content 2016-10-29 01:35:15 +08:00
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			`Most frameworks and app models, such as ASP.NET or SignalR, already configure the data protection system and add it to a service container you access via dependency injection. The following sample demonstrates configuring a service container for dependency injection and registering the data protection stack, receiving the data protection provider via DI, creating a protector and protecting then unprotecting data`
Add docfx content 2016-10-29 01:35:15 +08:00
Drop [Main] from snippet references (#5547) 2018-02-25 00:08:11 +08:00			`[!code-csharp[](../../security/data-protection/using-data-protection/samples/protectunprotect.cs?highlight=26,34,35,36,37,38,39,40)]`
Add docfx content 2016-10-29 01:35:15 +08:00
Security link updates (#5727) Updates Revert 2018-03-19 10:25:14 +08:00			`When you create a protector you must provide one or more [Purpose Strings](xref:security/data-protection/consumer-apis/purpose-strings). A purpose string provides isolation between consumers. For example, a protector created with a purpose string of "green" wouldn't be able to unprotect data provided by a protector with a purpose of "purple".`
Add docfx content 2016-10-29 01:35:15 +08:00
			`>[!TIP]`
Taming the savage contraction issue (#5216) * Form contractions * Revert two contractions * Additional reversions * Additional reversions * Additional revisions * Additional revisions * React to feedback 2018-01-24 23:27:24 +08:00			> Instances of `IDataProtectionProvider` and `IDataProtector` are thread-safe for multiple callers. It's intended that once a component gets a reference to an `IDataProtector` via a call to `CreateProtector`, it will use that reference for multiple calls to `Protect` and `Unprotect`.
Add docfx content 2016-10-29 01:35:15 +08:00			`>`
Add missing description metadata to security docs (#4702) 2017-11-02 03:34:09 +08:00			>A call to `Unprotect` will throw CryptographicException if the protected payload cannot be verified or deciphered. Some components may wish to ignore errors during unprotect operations; a component which reads authentication cookies might handle this error and treat the request as if it had no cookie at all rather than fail the request outright. Components which want this behavior should specifically catch CryptographicException instead of swallowing all exceptions.