Add a more general UnprotectKeyWith* solution for data protection

[dozer75]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Today, there is only one UnprotectKeysWith* configuration. The UnprotectKeysWithAnyCertificate logic that makes it possible to unprotect keys generated with old rotated certificates when the data protection protection is configured using ProtectKeysWithCertificate. While this functionality works perfectly. However, it is limited to ONLY work when the data protection is using ProtectKeysWithCertificate and not in other situations which makes it difficult to switch key protection system from e.g. Certificate to Azure Key Vault.

It would be nice if there was a solution that made UnprotectKeysWithAnyCertificate independent of the ProtectKeysWithCertificate and making other UnprotectKeysWith* methods for other key providers as well like e.g. Azure Key Vault.

This would make it easy e.g. with transition from one environment to e.g. Azure environment or to any other combination.

Describe the solution you'd like

I would like the Unprotect logic to be separated from the Protected logic so that:

1. The unprotect logic can be extended to include other key providers as well.
2. The unprotect logic can be added to other protect logic that isn't of the same type e.g. Azure Key Vault protection with unprotect logic from old certificates.

Additional context

No response

[captainsafia]

Triage: Sticking this in .NET 8 Planning for now to evaluate whether this will bubble up as high-pri work in the data protection area.

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.