%3CLINGO-SUB%20id%3D%22lingo-sub-1919096%22%20slang%3D%22en-US%22%3ESystem.Security.Cryptography.CryptographicException%3A%20The%20payload%20was%20invalid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1919096%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20are%20using%20your%20.Net%20Core%20application%20to%20decrypt%20a%20string%20from%20a%20different%20machine%20than%20it%20was%20encrypted%2C%20you%20may%20run%20into%20the%20following%20exception%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EException%3A%3C%2FP%3E%0A%3CP%3ESystem.Security.Cryptography.CryptographicException%3A%20The%20payload%20was%20invalid.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte*%20pbCiphertext%2C%20UInt32%20cbCiphertext%2C%20Byte*%20pbAdditionalAuthenticatedData%2C%20UInt32%20cbAdditionalAuthenticatedData)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment%601%20ciphertext%2C%20ArraySegment%601%20additionalAuthenticatedData)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte%5B%5D%20protectedData%2C%20Boolean%20allowOperationsOnRevokedKeys%2C%20UnprotectStatus%26amp%3B%20status)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte%5B%5D%20protectedData%2C%20Boolean%20ignoreRevocationErrors%2C%20Boolean%26amp%3B%20requiresMigration%2C%20Boolean%26amp%3B%20wasRevoked)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte%5B%5D%20protectedData)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector%20protector%2C%20String%20protectedData)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETwo%20things%20you%20will%20need%20to%20check%3A%3C%2FP%3E%0A%3CP%3E1.%20Is%20the%20encryption%20key%20persists%20to%20a%20local%20path%3F%20-%20The%20key%20needs%20to%20be%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fcore%2Fsecurity%2Fdata-protection%2Fconfiguration%2Foverview%3Fview%3Daspnetcore-5.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Epersisted%20to%20a%20shared%20location%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E2.%20SetApplicationName%20must%20be%20used%20to%20set%20an%20explicit%20application%20name.%20-%20If%20ApplicationName%20is%20not%20set%2C%20it%20will%20be%20generated%20a%20guid%20at%20runtime%20for%20different%20machines%2C%20and%20that%20will%20lead%20to%20the%20error%20above.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECode%20Example%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20services.AddDataProtection()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.ProtectKeysWithCertificate(x509Cert)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B.UseCryptographicAlgorithms(%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20new%20AuthenticatedEncryptorConfiguration()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%7B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20EncryptionAlgorithm%20%3D%20EncryptionAlgorithm.AES_256_CBC%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ValidationAlgorithm%20%3D%20ValidationAlgorithm.HMACSHA256%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.PersistKeysToFileSystem(new%20System.IO.DirectoryInfo(Configuration.GetValue%3CSTRING%3E(%22KeyLocation%22)))%20%2F%2Fshared%20network%20folder%20for%20key%20location%3C%2FSTRING%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.SetApplicationName(%22MyApplicationName%22)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.SetDefaultKeyLifetime(TimeSpan.FromDays(600))%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1919096%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20are%20using%20your%20.Net%20Core%20application%20to%20decrypt%20a%20string%20from%20a%20different%20machine%20than%20it%20was%20encrypted%2C%20you%20may%20run%20into%20the%20following%20exception%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EException%3A%3C%2FP%3E%0A%3CP%3ESystem.Security.Cryptography.CryptographicException%3A%20The%20payload%20was%20invalid.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte*%20pbCiphertext%2C%20UInt32%20cbCiphertext%2C%20Byte*%20pbAdditionalAuthenticatedData%2C%20UInt32%20cbAdditionalAuthenticatedData)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment%601%20ciphertext%2C%20ArraySegment%601%20additionalAuthenticatedData)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte%5B%5D%20protectedData%2C%20Boolean%20allowOperationsOnRevokedKeys%2C%20UnprotectStatus%26amp%3B%20status)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte%5B%5D%20protectedData%2C%20Boolean%20ignoreRevocationErrors%2C%20Boolean%26amp%3B%20requiresMigration%2C%20Boolean%26amp%3B%20wasRevoked)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte%5B%5D%20protectedData)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector%20protector%2C%20String%20protectedData)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETwo%20things%20you%20will%20need%20to%20check%3A%3C%2FP%3E%0A%3CP%3E1.%20Is%20the%20encryption%20key%20persists%20to%20a%20local%20path%3F%20-%20The%20key%20needs%20to%20be%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fcore%2Fsecurity%2Fdata-protection%2Fconfiguration%2Foverview%3Fview%3Daspnetcore-5.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Epersisted%20to%20a%20shared%20location%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E2.%20SetApplicationName%20must%20be%20used%20to%20set%20an%20explicit%20application%20name.%20-%20If%20ApplicationName%20is%20not%20set%2C%20it%20will%20be%20generated%20a%20guid%20at%20runtime%20for%20different%20machines%2C%20and%20that%20will%20lead%20to%20the%20error%20above.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECode%20Example%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20services.AddDataProtection()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.ProtectKeysWithCertificate(x509Cert)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B.UseCryptographicAlgorithms(%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20new%20AuthenticatedEncryptorConfiguration()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%7B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20EncryptionAlgorithm%20%3D%20EncryptionAlgorithm.AES_256_CBC%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ValidationAlgorithm%20%3D%20ValidationAlgorithm.HMACSHA256%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.PersistKeysToFileSystem(new%20System.IO.DirectoryInfo(Configuration.GetValue%3CSTRING%3E(%22KeyLocation%22)))%20%2F%2Fshared%20network%20folder%20for%20key%20location%3C%2FSTRING%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.SetApplicationName(%22MyApplicationName%22)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.SetDefaultKeyLifetime(TimeSpan.FromDays(600))%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1919096%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESystem.Security.Cryptography.CryptographicException%3A%20The%20payload%20was%20invalid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

When you are using your .Net Core application to decrypt a string from a different machine than it was encrypted, you may run into the following exception:

 

Exception:

System.Security.Cryptography.CryptographicException: The payload was invalid.

   at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)

   at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment`1 ciphertext, ArraySegment`1 additionalAuthenticatedData)

   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)

   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)

   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)

   at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData)

 

Two things you will need to check:

1. Is the encryption key persists to a local path? - The key needs to be persisted to a shared location

2. SetApplicationName must be used to set an explicit application name. - If ApplicationName is not set, it will be generated a guid at runtime for different machines, and that will lead to the error above.

 

 

Code Example below:

 

            services.AddDataProtection()

               .ProtectKeysWithCertificate(x509Cert)

               .UseCryptographicAlgorithms(

                      new AuthenticatedEncryptorConfiguration()

                      {

                          EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,

                          ValidationAlgorithm = ValidationAlgorithm.HMACSHA256

                      }

                  )

              .PersistKeysToFileSystem(new System.IO.DirectoryInfo(Configuration.GetValue<string>("KeyLocation"))) //shared network folder for key location

              .SetApplicationName("MyApplicationName")

              .SetDefaultKeyLifetime(TimeSpan.FromDays(600));