问
According to ASP.NET Key Management:
Deleting a key is truly destructive behavior, and consequently the data protection system exposes no first-class API for performing this operation.
Is the expired key still being used to unprotect data previously protected by that key even that key is expired?
Are the expired key kept forever even it might not have any more data protected by it?
Is it a bad practice to delete the key even it is not needed to unprotect any data?
I think currently we need it for the cookie authentication only. The worse case of deleting the key is the user may need to relogon.
What else from ASP.NET Core need the data protection by default?
答
Is the expired key still being used to unprotect data previously protected by that key even that key is expired?
Yes.
Are the expired key kept forever even it might not have any more data protected by it?
Yes, because we have no way of knowing how you used it, or whether any data still exists.
Is it a bad practice to delete the key even it is not needed to unprotect any data?
Probably not, but you as the developer can use data protection for your own data. We can't know whether you did or not.
What else from ASP.NET Core need the data protection by default?
Parts of OAuth login flow, session and temp data. But those are really short lived.