diff --git a/aspnetcore/security/data-protection/configuration/default-settings.md b/aspnetcore/security/data-protection/configuration/default-settings.md index f9febd173a..2aebc446b3 100644 --- a/aspnetcore/security/data-protection/configuration/default-settings.md +++ b/aspnetcore/security/data-protection/configuration/default-settings.md @@ -28,7 +28,7 @@ The system tries to detect its operational environment and provide good zero-con 4. If none of these conditions matches, keys are not persisted outside of the current process. When the process shuts down, all generated keys will be lost. -The developer is always in full control and can override how and where keys are stored. The first three options above should good defaults for most applications similar to how the ASP.NET auto-generation routines worked in the past. The final, fall back option is the only scenario that truly requires the developer to specify [configuration](overview.md) upfront if he wants key persistence, but this fall-back would only occur in rare situations. +The developer is always in full control and can override how and where keys are stored. The first three options above should good defaults for most applications similar to how the ASP.NET auto-generation routines worked in the past. The final, fall back option is the only scenario that truly requires the developer to specify [configuration](overview.md) upfront if they want key persistence, but this fall-back would only occur in rare situations. >[!WARNING] > If the developer overrides this heuristic and points the data protection system at a specific key repository, automatic encryption of keys at rest will be disabled. At rest protection can be re-enabled via [configuration](overview.md).