diff --git a/aspnetcore/security/data-protection/configuration/overview.md b/aspnetcore/security/data-protection/configuration/overview.md index fbd623df46..fff79cb98f 100644 --- a/aspnetcore/security/data-protection/configuration/overview.md +++ b/aspnetcore/security/data-protection/configuration/overview.md @@ -96,6 +96,26 @@ public void ConfigureServices(IServiceCollection services) > [!WARNING] > If you change the key persistence location, the system no longer automatically encrypts keys at rest, since it doesn't know whether DPAPI is an appropriate encryption mechanism. +## PersistKeysToDbContext + +To store keys in a database using EntityFramework, configure the system with the [Microsoft.AspNetCore.DataProtection.EntityFrameworkCore](https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/) package: + +```csharp +public void ConfigureServices(IServiceCollection services) +{ + services.AddDataProtection() + .PersistKeysToDbContext() +} +``` + +The preceding code stores the keys in the configured database. The database context being used must implement `IDataProtectionKeyContext`. `IDataProtectionKeyContext` exposes the property `DataProtectionKeys` + +```csharp +public DbSet DataProtectionKeys { get; set; } +``` + +This property represents the table in which the keys are stored. Create the table manually or with `DbContext` Migrations. See for more information. + ## ProtectKeysWith\* You can configure the system to protect keys at rest by calling any of the [ProtectKeysWith\*](/dotnet/api/microsoft.aspnetcore.dataprotection.dataprotectionbuilderextensions) configuration APIs. Consider the example below, which stores keys on a UNC share and encrypts those keys at rest with a specific X.509 certificate: