mike55 Posted February 22, 2008 Posted February 22, 2008 Hi all I am using the aspnet_regiis set of commands to create and a provider and encrypt/decrypt the connection string in a web.config file. The problem that I am having is that I generate the key on one machine and encrypt the config file. I then export the key and import onto my server, and assign the relevant permissions. I now want to remove the key so that nobody can look at the web.config file and be able to simply run the decryption command to see the connection string. Here are the commands that I use: 1. generate machine level rsa key Aspnet_regiis �pc �CustomKeys� �exp 2. Encrypt the connection string Aspnet_regiis �pe �connectionStrings� �app �/project name� �prov �CustomProvider� 3. Export the key Aspnet_regiis �px �CustomKeys� �C:\temp\CustomKeys.xml� �pri 4. Import the key into the server aspnet_regiis �pi �CustomKeys� �C:\temp\CustomKeys.xml� 5. Grant access to the custom key store Aspnet_regiis �pa �CustomKeys� �NT Authority\Network Service� Aspnet_regiis �pa �CustomKeys� �ASPNET� 6. Delete Rsa key container Aspnet_regiis �pz �CustomKeys� If I run the command to delete the rsa key container, the system is unable to unencrypt the connection string. What step am I missing? If I have completed all the steps correctly, how can this be secure from a user that manages to get on the server? To provide further information, I have added the following to the standard web.config file: <configuration xmlns=�http://schemas.microsoft.com/.NetConfiguration/v2.0�> <configProtectedData> <providers> <clear/> <add keyContainerName=�CustomKeys� useMachineContainer=�true� description=�Users RsaCryptoServiceProvider to encrypt and decrypt� name=�CustomProvider� type=�System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a�/> </providers> </configProtectedData> <connectionStrings> <add name=�myConn� connectionString=�your connection string��/> </connectionStrings> Mike55. Mike55. Quote A Client refers to the person who incurs the development cost. A Customer refers to the person that pays to use the product. ------ My software never has bugs. It just develops random features. (Mosabama vbforums.com)
Administrators PlausiblyDamp Posted February 23, 2008 Administrators Posted February 23, 2008 They key is required to decrypt the sections - if you delete it then asp.net cannot decrypt the relevant sections. If you have already set permissions on the container though you shouldn't need to delete they key anyway. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
mike55 Posted February 23, 2008 Author Posted February 23, 2008 So, this method is really only effective in the case that someone gets hold of the web.config file and moves it to another machine and then tries to decrypt it? Mike55. Quote A Client refers to the person who incurs the development cost. A Customer refers to the person that pays to use the product. ------ My software never has bugs. It just develops random features. (Mosabama vbforums.com)
Administrators PlausiblyDamp Posted February 23, 2008 Administrators Posted February 23, 2008 It is an extra layer of security for the web.config file. If somebody has physical access to the server then you already have problems in ensuring security - however this may be unavoidable (3rd party hosting as an example). Encrypting the config file simply prevents information contained from being available in clear text, by securing the container you are preventing all but one or two selected accounts from ever being able to decrypt the file. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.