Share via

How to fix a cryptographic keys error

Raymond Starkey 0 Reputation points
2025-02-22T18:17:25.01+00:00

I have recently upgraded the my web app to .Net9.

I am now getting this error message from a call to CosmosDB to get a specific record...

System.Security.Cryptography.CryptographicException: The key {92c2f09a-14ff-4cea-8f15-e09dcec74987} was not found in the key ring. For more information go to https://aka.ms/aspnet/dataprotectionwarning

at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)

The troubleshooter provided this advice, but I can find a key beginning with 56b7...

In the Azure Key Vault (AKV) key, the version is at the end, in this example, it is 56b7.... After the version is removed, in this example, https://my-vault.vault.azure.net/keys/my-key, the creation will succeed.

Azure Cosmos DB doesn't accept a version because it automatically picks up the latest key within one hour of creation. This is called automatic rotation.

but I can't find a key beginning with 56b7...

Can you give me some support to trace this error and fix it?

Can you explain why I cannot raise a ticket despite paying for support?

Thanks

Blazor Training
Blazor Training
Blazor: A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.Training: Instruction to develop new skills.
18 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pradeep M 6,240 Reputation points Microsoft Vendor
    2025-02-24T03:51:17.44+00:00

    Hi Raymond Starkey

    Thank you for reaching out to Microsoft Q & A forum. 

    It looks like your Cosmos DB request is failing due to a cryptographic key issue. Here’s how you can resolve it: 

    1.Check Key Vault & Permissions 

    Ensure the key exists and is not deleted, disabled, or expired. 

    Verify that the Cosmos DB default identity has the required get, wrap, and unwrap permissions. 

    If using RBAC, make sure the "Key Vault Crypto Service Encryption User" role is assigned. 

    2.Verify Key Vault URI & Automatic Key Rotation 

    Cosmos DB does not accept versioned keys. Use the format: https://my-vault.vault.azure.net/keys/my-key (without a version). 

    Allow up to one hour for the update to take effect. 

    3.Resolve .NET 9 Data Protection Key Issue 

    Ensure Data Protection keys are correctly stored in Azure Key Vault, Blob Storage, or an accessible file system path. 

    4.Unable to Raise a Support Ticket? 

    Check your subscription level, permissions, and support plan status. 

    If issues persist, try Microsoft Support Chat or the Azure Support Portal. 

    Please feel free to contact us if you have any additional questions.     

    If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.  

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.