Data Protection
Releval encrypts authentication cookies and anti-forgery tokens using a set of encryption keys. By default, keys are stored in memory and regenerated on each container restart, which causes all active sessions to be invalidated.
For production deployments, persist keys to a volume.
Settings
| Variable | Default | Description |
|---|---|---|
DATAPROTECTION__APPLICATIONNAME | (none) | Application name for key isolation |
DATAPROTECTION__KEYSDIRECTORY | (none) | Directory to persist encryption keys |
DATAPROTECTION__KEYLIFETIME | 90.00:00:00 | Key rotation lifetime (90 days) |
DATAPROTECTION__CERTIFICATE__PATH | (none) | Path to PFX certificate for encrypting keys at rest |
DATAPROTECTION__CERTIFICATE__PASSWORD | (none) | Password for the PFX certificate |
DATAPROTECTION__CERTIFICATE__THUMBPRINT | (none) | Certificate thumbprint (alternative to path) |
Basic Setup
Persist keys to a Docker volume so sessions survive container restarts:
- Environment Variable
- appsettings.json
services:
releval:
environment:
- DATAPROTECTION__APPLICATIONNAME=Releval
- DATAPROTECTION__KEYSDIRECTORY=/app/keys
volumes:
- releval-keys:/app/keys
volumes:
releval-keys:
{
"DataProtection": {
"ApplicationName": "Releval",
"KeysDirectory": "/app/keys"
}
}
Certificate Encryption
For additional security, encrypt keys at rest using an X.509 certificate:
- Environment Variable
- appsettings.json
services:
releval:
environment:
- DATAPROTECTION__APPLICATIONNAME=Releval
- DATAPROTECTION__KEYSDIRECTORY=/app/keys
- DATAPROTECTION__CERTIFICATE__PATH=/app/certs/dataprotection.pfx
- DATAPROTECTION__CERTIFICATE__PASSWORD=${CERT_PASSWORD}
volumes:
- releval-keys:/app/keys
- ./certs:/app/certs:ro
volumes:
releval-keys:
{
"DataProtection": {
"ApplicationName": "Releval",
"KeysDirectory": "/app/keys",
"Certificate": {
"Path": "/app/certs/dataprotection.pfx",
"Password": "your-certificate-password"
}
}
}
To generate a self-signed certificate for testing:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=DataProtection"
openssl pkcs12 -export -out dataprotection.pfx -inkey key.pem -in cert.pem
Multi-Container Deployments
When running multiple Releval containers behind a load balancer, all containers must share the same keys.
Configure them with the same APPLICATIONNAME and a shared KEYSDIRECTORY:
services:
releval-1:
environment:
- DATAPROTECTION__APPLICATIONNAME=Releval
- DATAPROTECTION__KEYSDIRECTORY=/app/keys
volumes:
- releval-keys:/app/keys
releval-2:
environment:
- DATAPROTECTION__APPLICATIONNAME=Releval
- DATAPROTECTION__KEYSDIRECTORY=/app/keys
volumes:
- releval-keys:/app/keys
volumes:
releval-keys:
For multi-container deployments, you must also configure Redis for distributed caching and real-time notifications across instances.