NpgsqlRest

Appearance

Comments
Written with Claude
IMPORTANT

As you may notice, this page and pretty much the entire website were obviously created with the help of AI. I wonder how you could tell? Was it a big "Written With Claude" badge on every page? I moved it to the top now (with the help of AI of course) to make it even more obvious. There are a few blogposts that were written by me manually, the old-fashioned way, I hope there will be more in the future, and those have a similar "Human Written" badge. This project (not the website), on the other hand, is a very, very different story. It took me more than two years of painstaking and unpaid work in my own free time. A story that, hopefully, I will tell someday. But meanwhile, what would you like me to do? To create a complex documentation website with a bunch of highly technical articles with the help of AI and fake it, to give you an illusion that I also did that manually? Like the half of itnernet is doing at this point? How does that makes any sense? Is that even fair to you? Or maybe to create this website manually, the old-fashioned way, just for you? While working a paid job for a salary, most of you wouldn't even get up in the morning. Would you like me to sing you a song while we're at it? For your personal entertainment? Seriously, get a grip. Do you find this information less valuable because of the way this website was created? I give my best to fix it to keep the information as accurate as possible, and I think it is very accurate at this point. If you find some mistakes, inaccurancies or problems, there is a comment section at the bottom of every page, which I also made with the help of the AI. And I woould very much appreciate if you leave your feedback there. Look, I'm just a guy who likes SQL, that's all. If you don't approve of how this website was constructed and the use of AI tools, I suggest closing this page and never wever coming back. And good riddance. And I would ban your access if I could know how. Thank you for your attention to this matter.

Data Protection

Data protection settings control encryption and decryption for authentication cookies and antiforgery tokens.

Overview

json
{
  "DataProtection": {
    "Enabled": true,
    "CustomApplicationName": null,
    "DefaultKeyLifetimeDays": 90,
    "Storage": "Default",
    "FileSystemPath": "./data-protection-keys",
    "GetAllElementsCommand": "select get_data_protection_keys()",
    "StoreElementCommand": "call store_data_protection_keys($1,$2)",
    "EncryptionAlgorithm": null,
    "ValidationAlgorithm": null,
    "KeyEncryption": "None",
    "CertificatePath": null,
    "CertificatePassword": null,
    "DpapiLocalMachine": false
  }
}

Settings Reference

SettingTypeDefaultDescription
EnabledbooltrueEnable data protection.
CustomApplicationNamestringnullApplication name for encryption scope. Uses ApplicationName if null. Different names cannot decrypt each other's data.
DefaultKeyLifetimeDaysint90Number of days before keys are rotated.
Storagestring"Default"Key storage location: "Default", "FileSystem", or "Database".
FileSystemPathstring"./data-protection-keys"Path for file system storage.
GetAllElementsCommandstring"select get_data_protection_keys()"Database command to retrieve keys. Returns rows with single text column.
StoreElementCommandstring"call store_data_protection_keys($1,$2)"Database command to store keys. Receives name and data as text parameters.
EncryptionAlgorithmstringnullEncryption algorithm. Uses default if null.
ValidationAlgorithmstringnullValidation algorithm. Uses default if null.
KeyEncryptionstring"None"Key encryption method: "None", "Certificate", or "Dpapi" (Windows only).
CertificatePathstringnullPath to X.509 certificate file (.pfx) when using Certificate encryption.
CertificatePasswordstringnullPassword for the certificate file (can be null for passwordless certificates).
DpapiLocalMachineboolfalseWhen using DPAPI, set to true to protect keys to the local machine instead of current user.

Storage Options

Default Storage

json
{
  "DataProtection": {
    "Storage": "Default"
  }
}

Uses the platform's default key storage location.

Linux Users

On Linux, Default storage does not persist keys. When keys are lost on restart, encrypted tokens (authentication cookies) will stop working. Linux deployments should use FileSystem or Database storage.

File System Storage

json
{
  "DataProtection": {
    "Storage": "FileSystem",
    "FileSystemPath": "/var/lib/npgsqlrest/keys"
  }
}

Stores keys in the specified directory.

Docker

When running in Docker, ensure FileSystemPath points to a Docker volume to persist keys across container restarts.

Database Storage

json
{
  "DataProtection": {
    "Storage": "Database",
    "GetAllElementsCommand": "select get_data_protection_keys()",
    "StoreElementCommand": "call store_data_protection_keys($1,$2)"
  }
}

Stores keys in the PostgreSQL database using custom functions.

Encryption Algorithms

Configure the encryption algorithm for data protection keys:

ValueDescription
nullUse default algorithm
AES_128_CBCAES 128-bit CBC mode
AES_192_CBCAES 192-bit CBC mode
AES_256_CBCAES 256-bit CBC mode
AES_128_GCMAES 128-bit GCM mode
AES_192_GCMAES 192-bit GCM mode
AES_256_GCMAES 256-bit GCM mode
json
{
  "DataProtection": {
    "EncryptionAlgorithm": "AES_256_GCM"
  }
}

Validation Algorithms

Configure the validation algorithm for data protection keys:

ValueDescription
nullUse default algorithm
HMACSHA256HMAC SHA-256
HMACSHA512HMAC SHA-512
json
{
  "DataProtection": {
    "ValidationAlgorithm": "HMACSHA512"
  }
}

Application Name Scope

The CustomApplicationName determines the encryption scope. Applications with different names cannot decrypt each other's data:

json
{
  "DataProtection": {
    "CustomApplicationName": "my-app-production"
  }
}

If null, uses the top-level ApplicationName setting.

Key Encryption Options

Data protection keys can be encrypted at rest using X.509 certificates or Windows DPAPI for additional security.

No Encryption (Default)

json
{
  "DataProtection": {
    "KeyEncryption": "None"
  }
}

Keys are stored without additional encryption at rest.

Certificate Encryption

json
{
  "DataProtection": {
    "Enabled": true,
    "Storage": "Database",
    "KeyEncryption": "Certificate",
    "CertificatePath": "/path/to/cert.pfx",
    "CertificatePassword": "${CERT_PASSWORD}"
  }
}

Encrypts keys using an X.509 certificate. The certificate must be a .pfx file containing both the public and private key.

Environment Variables

Use environment variable substitution for the certificate password to avoid storing secrets in configuration files.

DPAPI Encryption (Windows Only)

json
{
  "DataProtection": {
    "Enabled": true,
    "Storage": "FileSystem",
    "FileSystemPath": "./keys",
    "KeyEncryption": "Dpapi",
    "DpapiLocalMachine": true
  }
}

Uses Windows Data Protection API to encrypt keys. Only available on Windows.

DpapiLocalMachineScope
false (default)Keys are protected to the current user account
trueKeys are protected to the local machine (any user on the machine can decrypt)

Windows Only

DPAPI encryption is only available on Windows. On other platforms, use Certificate encryption instead.

Complete Example

Production configuration with database storage:

json
{
  "DataProtection": {
    "Enabled": true,
    "CustomApplicationName": null,
    "DefaultKeyLifetimeDays": 90,
    "Storage": "Database",
    "GetAllElementsCommand": "select get_data_protection_keys()",
    "StoreElementCommand": "call store_data_protection_keys($1,$2)",
    "EncryptionAlgorithm": "AES_256_GCM",
    "ValidationAlgorithm": "HMACSHA512"
  }
}

Production configuration with file system storage (Docker):

json
{
  "DataProtection": {
    "Enabled": true,
    "DefaultKeyLifetimeDays": 90,
    "Storage": "FileSystem",
    "FileSystemPath": "/app/keys"
  }
}

Next Steps

Comments

Released under the MIT License.

Copyright © 2024-2026 VB Consulting