diff --git a/.gitignore b/.gitignore
index ac82da7568..0d01a992a1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@ nuget.exe
 *.ipch
 *.sln.ide
 project.lock.json
+.vs
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
index 0c9037e247..5004cd0745 100644
--- a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Reflection;
 using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNet.DataProtection
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index 37a8413a3a..f54d9f6eb2 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -6,6 +6,7 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.Cng.Internal;
 using Microsoft.AspNet.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.DataProtection.Cng
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index 953fb05106..027f5c1da1 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -6,6 +6,7 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.Cng.Internal;
 using Microsoft.AspNet.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.DataProtection.Cng
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNet.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
similarity index 96%
rename from src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
rename to src/Microsoft.AspNet.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
index 968a31cd0b..68f933fded 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
@@ -4,12 +4,12 @@
 using System;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng.Internal
 {
     /// <summary>
     /// Base class used for all CNG-related authentication encryption operations.
     /// </summary>
-    internal unsafe abstract class CngAuthenticatedEncryptorBase : IOptimizedAuthenticatedEncryptor, IDisposable
+    public unsafe abstract class CngAuthenticatedEncryptorBase : IOptimizedAuthenticatedEncryptor, IDisposable
     {
         public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
         {
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index e0a9749101..efef3fe5ca 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -8,6 +8,7 @@ using Microsoft.AspNet.DataProtection;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index faaf687548..4ad566865e 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -5,6 +5,7 @@ using System;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection
diff --git a/src/Microsoft.AspNet.DataProtection/IActivator.cs b/src/Microsoft.AspNet.DataProtection/Internal/IActivator.cs
similarity index 89%
rename from src/Microsoft.AspNet.DataProtection/IActivator.cs
rename to src/Microsoft.AspNet.DataProtection/Internal/IActivator.cs
index 012510869c..2adb8efa37 100644
--- a/src/Microsoft.AspNet.DataProtection/IActivator.cs
+++ b/src/Microsoft.AspNet.DataProtection/Internal/IActivator.cs
@@ -3,13 +3,13 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNet.DataProtection.Internal
 {
     /// <summary>
     /// An interface into <see cref="Activator.CreateInstance{T}"/> that also supports
     /// limited dependency injection (of <see cref="IServiceProvider"/>).
     /// </summary>
-    internal interface IActivator
+    public interface IActivator
     {
         /// <summary>
         /// Creates an instance of <paramref name="implementationTypeName"/> and ensures
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index dc721a1331..cd3945505d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -6,6 +6,7 @@ using System.Collections.Generic;
 using System.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
index 7d7b79bad3..591c9bd68d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
index 559d9030ba..18c795d165 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
@@ -5,6 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
@@ -15,7 +16,13 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
     /// </summary>
     internal sealed class DeferredKey : KeyBase
     {
-        public DeferredKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IInternalXmlKeyManager keyManager, XElement keyElement)
+        public DeferredKey(
+            Guid keyId,
+            DateTimeOffset creationDate,
+            DateTimeOffset activationDate,
+            DateTimeOffset expirationDate,
+            IInternalXmlKeyManager keyManager,
+            XElement keyElement)
             : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptor>(GetLazyEncryptorDelegate(keyManager, keyElement)))
         {
         }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
similarity index 94%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
index b3bde5d737..090c150949 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
@@ -5,12 +5,12 @@ using System;
 using System.Collections.Generic;
 using System.Threading;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Wraps both a keyring and its expiration policy.
     /// </summary>
-    internal sealed class CacheableKeyRing
+    public sealed class CacheableKeyRing
     {
         private readonly CancellationToken _expirationToken;
 
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
similarity index 92%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
index a60aa9bf25..8a4a536665 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
@@ -3,9 +3,9 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
-    internal struct DefaultKeyResolution
+    public struct DefaultKeyResolution
     {
         /// <summary>
         /// The default key, may be null if no key is a good default candidate.
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
similarity index 70%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
index ccdb39ccba..1b5feb6c7a 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
@@ -3,9 +3,9 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
-    internal interface ICacheableKeyRingProvider
+    public interface ICacheableKeyRingProvider
     {
         CacheableKeyRing GetCacheableKeyRing(DateTimeOffset now);
     }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
similarity index 83%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
index 99178eb07a..8c3e2381da 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
@@ -4,12 +4,12 @@
 using System;
 using System.Collections.Generic;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Implements policy for resolving the default key from a candidate keyring.
     /// </summary>
-    internal interface IDefaultKeyResolver
+    public interface IDefaultKeyResolver
     {
         /// <summary>
         /// Locates the default key from the keyring.
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
similarity index 88%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
index faccf9554b..dd5d9bb012 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
@@ -5,12 +5,12 @@ using System;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Provides default implementations of the services required by an <see cref="IKeyManager"/>.
     /// </summary>
-    internal interface IDefaultKeyServices
+    public interface IDefaultKeyServices
     {
         /// <summary>
         /// Gets the default <see cref="IXmlEncryptor"/> service (could return null).
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
similarity index 82%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
index f94d40e8a8..47f419f340 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
@@ -5,10 +5,9 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
-    // Used for unit testing
-    internal interface IInternalXmlKeyManager
+    public interface IInternalXmlKeyManager
     {
         IKey CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate);
 
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRing.cs
similarity index 93%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRing.cs
index 6b7f0e6045..e5b144c9d8 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRing.cs
@@ -4,12 +4,12 @@
 using System;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// The basic interface for accessing a read-only keyring.
     /// </summary>
-    internal interface IKeyRing
+    public interface IKeyRing
     {
         /// <summary>
         /// The authenticated encryptor that shall be used for new encryption operations.
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
similarity index 66%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
index 966328fc77..e532d024a8 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
@@ -1,11 +1,9 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
-    internal interface IKeyRingProvider
+    public interface IKeyRingProvider
     {
         IKeyRing GetCurrentKeyRing();
     }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
index bb5610077b..f8cc2d106d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Threading;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index e56337ee29..cecf9c1bfc 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index c94da05ff7..b14819ec80 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -9,6 +9,7 @@ using System.Linq;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index 017319c558..0ac3579b2c 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -6,6 +6,7 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index f8cf2c8e9f..0ced2fea20 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -11,6 +11,8 @@ using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Internal;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index f1987d1756..44ec3abe0c 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -9,6 +9,7 @@ using System.Linq;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index e1bf23c336..741892fb6b 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -1,19 +1,23 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  "dependencies": {
+    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Test.Shared": {
+      "type": "build",
+      "version": ""
     },
-    "frameworks": {
-        "dnx451": { },
-        "dnxcore50": { }
-    },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "keyFile": "../../tools/Key.snk"
-    }
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": { },
+    "dnxcore50": { }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "keyFile": "../../tools/Key.snk",
+    "warningsAsErrors": true
+  }
 }
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index d03d6526fd..09cf034660 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -1,20 +1,21 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Test.Shared": "",
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
-    },
-    "frameworks": {
-        "dnx451": { }
-    },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "keyFile": "../../tools/Key.snk"
-    }
+  "dependencies": {
+    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Test.Shared": "",
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": { },
+    "dnxcore50": { }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
index dd7ede7811..8ceb6a391c 100644
--- a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
@@ -1,20 +1,28 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  "dependencies": {
+    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": {
+      "dependencies": {
+        "Moq": "4.2.1312.1622"
+      }
     },
-    "frameworks": {
-        "dnx451": { }
-    },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compile": "..\\common\\**\\*.cs",
-    "compilationOptions": {
-        "warningsAsErrors": true,
-        "keyFile": "../../tools/Key.snk"
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8"
+      }
     }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compile": "../common/**/*.cs",
+  "compilationOptions": {
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 7bfc8b0d6c..0724799fa8 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -86,7 +86,7 @@ namespace Microsoft.AspNet.DataProtection
 
         private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => (Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) != null);
+            public bool IsMet => Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%") != null;
 
             public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
index 1a3581591b..2f098cd064 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
@@ -1,20 +1,31 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Extensions": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  "dependencies": {
+    "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Extensions": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Test.Shared": {
+      "type": "build",
+      "version": ""
     },
-    "frameworks": {
-        "dnx451": { }
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": {
+      "dependencies": {
+        "Moq": "4.2.1312.1622"
+      }
     },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compilationOptions": {
-        "warningsAsErrors": true,
-        "keyFile": "../../tools/Key.snk"
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8"
+      }
     }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compilationOptions": {
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
index 266a312c09..70fcad2714 100644
--- a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
@@ -1,17 +1,7 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
-    },
-    "frameworks": {
-        "dnx451": { },
-        "dnxcore50": { }
-    },
-    "commands": {
-        
-    },
-    "compilationOptions": {
-    },
-    "shared": "**\\*.cs"
+  "frameworks": {
+    "dnx451": { },
+    "dnxcore50": { }
+  },
+  "shared": "**/*.cs"
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
index 5bea3ae5b6..d5b96c0f17 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
index 35b2eaf8ae..cd76849191 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+#if DNX451
 using System;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
@@ -85,3 +86,4 @@ namespace Microsoft.AspNet.DataProtection
         }
     }
 }
+#endif
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index bdfdf504b2..183af245a7 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -74,14 +74,23 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             Assert.Equal(plaintext, roundTripPlaintext);
         }
 
+        public static TheoryData CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementationData
+            => new TheoryData<EncryptionAlgorithm, ValidationAlgorithm, Func<HMAC>>
+            {
+                { EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256, () => new HMACSHA256() },
+                { EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA256, () => new HMACSHA256() },
+                { EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA256, () => new HMACSHA256() },
+                { EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA512, () => new HMACSHA512() },
+                { EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, () => new HMACSHA512() },
+                { EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA512, () => new HMACSHA512() },
+            };
+
         [Theory]
-        [InlineData(EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
-        [InlineData(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA256)]
-        [InlineData(EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA256)]
-        [InlineData(EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA512)]
-        [InlineData(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512)]
-        [InlineData(EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA512)]
-        public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm)
+        [MemberData(nameof(CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementationData))]
+        public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(
+            EncryptionAlgorithm encryptionAlgorithm,
+            ValidationAlgorithm validationAlgorithm,
+            Func<HMAC> validationAlgorithmFactory)
         {
             // Parse test input
             int keyLengthInBits = Int32.Parse(Regex.Match(encryptionAlgorithm.ToString(), @"^AES_(?<keyLength>\d{3})_CBC$").Groups["keyLength"].Value, CultureInfo.InvariantCulture);
@@ -90,9 +99,9 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             var masterKey = Secret.Random(512 / 8);
             var control = new ManagedAuthenticatedEncryptor(
                 keyDerivationKey: masterKey,
-                symmetricAlgorithmFactory: () => new AesCryptoServiceProvider(),
+                symmetricAlgorithmFactory: () => Aes.Create(),
                 symmetricAlgorithmKeySizeInBytes: keyLengthInBits / 8,
-                validationAlgorithmFactory: () => KeyedHashAlgorithm.Create(validationAlgorithm.ToString()));
+                validationAlgorithmFactory: validationAlgorithmFactory);
             var test = CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey).CreateEncryptorInstance();
 
             // Act & assert - data round trips properly from control to test
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 0a6c668364..270ed2dcfb 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -53,7 +53,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             var control = new ManagedAuthenticatedEncryptorDescriptor(
                 new ManagedAuthenticatedEncryptionOptions()
                 {
-                    EncryptionAlgorithmType = typeof(AesCryptoServiceProvider),
+                    EncryptionAlgorithmType = typeof(Aes),
                     EncryptionAlgorithmKeySize = 192,
                     ValidationAlgorithmType = typeof(HMACSHA384)
                 },
@@ -67,7 +67,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
                     <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
                   </masterKey>
                 </descriptor>",
-                 typeof(AesCryptoServiceProvider).AssemblyQualifiedName, typeof(HMACSHA384).AssemblyQualifiedName);
+                 typeof(Aes).AssemblyQualifiedName, typeof(HMACSHA384).AssemblyQualifiedName);
             var test = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
 
             // Act & assert
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
index 4a47c64b29..db24e9b387 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -7,7 +7,7 @@ using Microsoft.AspNet.Testing.xunit;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng.Internal
 {
     public unsafe class CngAuthenticatedEncryptorBaseTests
     {
@@ -89,7 +89,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
         }
 
-        internal abstract class MockableEncryptor : CngAuthenticatedEncryptorBase
+        public abstract class MockableEncryptor : CngAuthenticatedEncryptorBase
         {
             public override void Dispose()
             {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
index 5e4e5b82fd..8d8c81a510 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Threading;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index 93bd512972..38eb189734 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Globalization;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
index fd41a98ff8..5dd7f0437a 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.Testing;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 12676b836d..8c03d91c5f 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -5,9 +5,11 @@ using System;
 using System.IO;
 using System.Linq;
 using System.Net;
+using System.Reflection;
 using System.Text;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.Testing;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index f136127af4..f3be5939ff 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -7,6 +7,7 @@ using System.Globalization;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.Testing;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index a0c8e319ee..2d4aa76feb 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -8,6 +8,8 @@ using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Internal;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs b/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
index a0e1d411a7..ff4646a2ae 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
@@ -5,6 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Internal;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Moq;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index 450c778c57..79bb5ee555 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -195,7 +195,7 @@ namespace Microsoft.AspNet.DataProtection
                 ["EncryptionType"] = "managed",
                 ["EncryptionAlgorithmType"] = typeof(TripleDES).AssemblyQualifiedName,
                 ["EncryptionAlgorithmKeySize"] = 2048,
-                ["ValidationAlgorithmType"] = typeof(HMACMD5).AssemblyQualifiedName
+                ["ValidationAlgorithmType"] = typeof(HMACSHA1).AssemblyQualifiedName
             });
 
             var services = serviceCollection.BuildServiceProvider();
@@ -203,7 +203,7 @@ namespace Microsoft.AspNet.DataProtection
             {
                 EncryptionAlgorithmType = typeof(TripleDES),
                 EncryptionAlgorithmKeySize = 2048,
-                ValidationAlgorithmType = typeof(HMACMD5)
+                ValidationAlgorithmType = typeof(HMACSHA1)
             });
             var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index a09f77bbd7..a0f76c8795 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -21,7 +21,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
             // Assert
             Assert.Equal(defaultDirInfo.FullName,
-                new DirectoryInfo(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "ASP.NET", "DataProtection-Keys")).FullName);
+                new DirectoryInfo(Path.Combine(Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%"), "ASP.NET", "DataProtection-Keys")).FullName);
         }
 
         [Fact]
@@ -158,7 +158,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => (Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) != null);
+            public bool IsMet => Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%") != null;
 
             public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index bfaf877e89..7e013de0c0 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+#if !DNXCORE50
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
@@ -58,3 +59,5 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         }
     }
 }
+#endif
+
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index d2ae16a7cd..3a0f6e520c 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -33,6 +33,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
+#if !DNXCORE50
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
@@ -51,5 +52,6 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             ExceptionAssert2.ThrowsCryptographicException(() =>
                 AnonymousImpersonation.Run(() => decryptor.Decrypt(encryptedXmlInfo.EncryptedElement)));
         }
+#endif
     }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
index f6b03eaac6..7364fdad4e 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index b63e75ac4d..7970ff1eca 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -1,21 +1,32 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.DataProtection": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  "dependencies": {
+    "Microsoft.AspNet.DataProtection": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Test.Shared": {
+      "type": "build",
+      "version": ""
     },
-    "frameworks": {
-        "dnx451": { }
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": {
+      "dependencies": {
+        "Moq": "4.2.1312.1622"
+      }
     },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "warningsAsErrors": true,
-        "keyFile": "../../tools/Key.snk"
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8"
+      }
     }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
 }