Wednesday, October 12, 2005
Encrypting web.config without writing Code
I think alot of people needs to encrypt their web.config sections in an easy way . it has never been easier than ASP.NET 2.0
1- Tool : Aspnet_regiis.exe .
limited to certain kind of sections . there are some system sections like (<processModel>, <runtime>, <system.runtime.remoting> ) that cannot be encrypted using this tool , so we have to use another tool which is Aspnet_setreg.exe .
2- Encryption Provider : RSA
3- key Storage Location : Encryption Keys are saved in Container files
a- Machine Container : the encryption key is shared to all applications running on the same server. ( \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys ).
The shared Encryption key Container : "NetFrameworkConfigurationKey"
b- User Container : the encryption key is only accesible by our application. ( \Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA )
4- Encrypting :
for IIS : aspnet_regiis -pe "ParentSection/ChildSection" -app "/WebApplication1"
-pe : the section to be encrypted like "connectionStrings" or "appSettings/App1"
-app: the virtual path to the application
-pd : for decryption
For the built-in web server with Visual Studio.NET 2005 :
aspnet_regiis.exe -pef "ParentSection/ChildSection" C:\MyWebs\WebApp1
aspnet_regiis.exe -pef "ParentSection/ChildSection" C:\MyWebs\WebApp1
-pef: section to be encrypted + physical path
-pdf: for decryption
For User Container Storage :
<protectedData>
<providers>
<add keyContainerName="NetFrameworkConfigurationKey"
useMachineContainer="false"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="MyUserRSAProtectedConfigurationprovider"
type="System.Configuration.RsaProtectedConfigurationProvider,SystemConfiguration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</protectedData>
<providers>
<add keyContainerName="NetFrameworkConfigurationKey"
useMachineContainer="false"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="MyUserRSAProtectedConfigurationprovider"
type="System.Configuration.RsaProtectedConfigurationProvider,SystemConfiguration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</protectedData>
The good news is that you dont have to write anything special in your code to read the encrypted data .it is read by the same way : ConfigurationManager.ConnectionStrings("MyConn1").ConnectionString
5- ACL on the Encryption Key : which web application has permission to read encrypted data ?
any ASP.NET Web APP has an identity (in IIS6 , it is the identity of the App Pool). when an ASP.NET web App tried to read encrypted Data , ASP.NET checks if that application has the appropriate permission by checking the NTFS ACL on the Encryption Key Container File (for shared Machine Container it is :NetFrameworkConfigurationKey) against app identity
Access Denied : If your web APP doesnt have permission to access the key --> "Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The handle is invalid."
Grant Access to an Account: aspnet_regiis -pa "NetFrameworkConfigurationKey" "MyServer\MyUser"
