.comment-link {margin-left:.6em;}

Wednesday, October 12, 2005


Encrypting web.config without writing Code

I think alot of people needs to encrypt their web.config sections in an easy way . it has never been easier than ASP.NET 2.0
1- Tool : Aspnet_regiis.exe . 
    limited to certain kind of sections . there are some system sections like (<processModel>, <runtime>, <system.runtime.remoting> ) that cannot be         encrypted using this tool , so we have to use another tool which is Aspnet_setreg.exe .
2- Encryption Provider : RSA
3- key Storage Location : Encryption Keys are saved in Container files
    a- Machine Container : the encryption key is shared to all applications running on the same server. ( \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys ).
    The shared Encryption key Container : "NetFrameworkConfigurationKey"
    b- User Container : the encryption key is only accesible by our application. ( \Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA )
4- Encrypting :
for IIS : aspnet_regiis -pe "ParentSection/ChildSection" -app "/WebApplication1"
-pe :  the section to be encrypted like "connectionStrings"  or "appSettings/App1"
-app: the virtual path to the application
-pd : for decryption
For the built-in web server with Visual Studio.NET 2005 :
aspnet_regiis.exe -pef "ParentSection/ChildSection" C:\MyWebs\WebApp1
-pef: section to be encrypted + physical path
-pdf: for decryption
For User Container Storage :
    <add keyContainerName="NetFrameworkConfigurationKey"
      description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
type="System.Configuration.RsaProtectedConfigurationProvider,SystemConfiguration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
The good news is that you dont have to write anything special in your code to read the encrypted data .it is read by the same way : ConfigurationManager.ConnectionStrings("MyConn1").ConnectionString

5- ACL on the Encryption Key : which web application has permission to read encrypted data ?

any ASP.NET Web APP has an identity (in IIS6 , it is the identity of the App Pool). when an ASP.NET web App tried to read encrypted Data , ASP.NET checks if that application has the appropriate permission by checking the NTFS ACL on the Encryption Key Container File (for shared Machine Container it is :
NetFrameworkConfigurationKey) against app identity
Access Denied : If your web APP doesnt have permission to access the key -->  "Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The handle is invalid."

Grant Access to an Account: aspnet_regiis -pa "NetFrameworkConfigurationKey" "MyServer\MyUser"

Comments: Post a Comment

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?