We have an .NET 4.5.x oss application that we are deploying to azure websites using git deploy. We have a build server that commits the artifacts to a git repo and then we use it to git deploy. We use app settings in azure to control everything. However, I'm running into roadblocks finding a way to set the machine key via app settings / environmental variables. Anyone else run into this issue and solve it?
P.S., It seems the only thing that uses the machineKey in our app is SignalR... I wonder if there is a safe and secure way to replace IProtectData without using the machine key to generate tokens.
Like you I wanted to be able to set the machine keys but not commit them to the web.config which goes into source control and becomes a security risk, and be able to use the same per-environment config system we use with AppSettings. I did find a solution to this, though it's a bit ugly as it uses reflection to manipulate the MachineKeySection configuration.
var getter = typeof(MachineKeySection).GetMethod("GetApplicationConfig", BindingFlags.Static | BindingFlags.NonPublic);
var config = (MachineKeySection)getter.Invoke(null, Array.Empty<object>());
var readOnlyField = typeof(ConfigurationElement).GetField("_bReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
readOnlyField.SetValue(config, false);
config.DecryptionKey = myKeys.EncryptionKey;
config.ValidationKey = myKeys.ValidationKey;
readOnlyField.SetValue(config, true);
I also wanted to be able to, if at all possible, extract and use the current machine keys on the production server, so as to not have to forcibly log off all our currently logged in users. I ended up doing something very similar to this answer, which also uses reflection.
Full solution: https://gist.github.com/cmcnab/d2bbed02eb429098ed3656a0729ee40a