The method of encrypting config under ASP.net

Copy CodeThe code is as follows:
<appSettings>
<!--whether the connection string is encrypted-->
<add key= "Constringencrypt" value= "false"/>
<!--connection strings (can be extended to support different databases) if it is encrypted, the above item is set to True and, if it is clear server=127.0.0.1;database=codematic;uid=sa;pwd=, the above is set to False -->
<add key= "ConnectionString" value= "Data Source=datadirectory\wm.mdb; Persist Security Info=true "/>
<!--Permissions module connection string-->
<add key= "connectionstringaccounts" value= "Data Source=datadirectory\wm.mdb; Persist Security Info=true "/>
<add key= "ConnectionString2" value= "Data Source=datadirectory\wm.mdb; Persist Security Info=true "/>
<!--the virtual directory name (empty if it is a site)-->
<add key= "virtualpath" value= ""/>
<!--login Page address-->
<add key= "LoginPage" value= "admin/login.aspx"/>
<!--Whether the default menu is expanded-->
<add key= "menuexpanded" value= "false"/>
<!--entity Object Content Slow village time (minutes)-->
<add key= "Modelcache" value= "/>"
</appSettings>

Added to the asp.net2.0 is the ability to encrypt part of the data in Web.config, which can be encrypted using RsaProtectedConfigurationProvider and Dpapiprotectedconfigurationprovider, as described in this article Steps for encrypting using Rsaprotectedconfigurationprovidert and machine-level key containers.
1. First determine if the configuration section in the Web.config to be encrypted can be encrypted
2. Create an RSA key container
3. Identify the key container to use in Web.config
4. Encrypt the web.config
5. Grant access to the RSA key container
Step 1: First determine if the configuration section in the Web.config to be encrypted can be encrypted
ASP.net 2.0 supports encrypting part of the configuration section of Web.config, and the data in the following configuration section cannot be encrypted:
Copy CodeThe code is as follows:
* <processModel>
* <runtime>
* <mscorlib>
* <startup>
* <system.runtime.remoting>
* <configProtectedData>
* <satelliteassemblies>
* <cryptographySettings>
* <cryptoNameMapping>
* <cryptoClasses>

STEP2: Creating an RSA key container
To create an RSA key container, use the ASP.net IIS Registration tool (Aspnet_regiis.exe) and the –pc switch. You must specify a name for the key container that identifies the key container used by the RsaProtectedConfigurationProvider specified in the configProtectedData section of the application's Web.config file. To ensure that the newly created RSA key container can be exported, you must include the-EXP option.
For example, the following command creates an RSA key container named Abeenkeys, which is an exportable computer-level key container.
ASPNET_REGIIS-PC "Abeenkeys" –exp
Step 3:modify web.config to identify the key container
Edit the Web.config file to identify the key container to use
<configProtectedData> in Web.config to configure the key container, using the computer-level RSA key container named Abeenkeys.
Add xmlns attribute to <configuration>
<configuration xmlns= "http://schemas.microsoft.com/.NetConfiguration/v2.0" >
Use the Saprotectedconfigurationprovider of the computer-level RSA key container named Abeenkeys.
Copy CodeThe code is as follows:
<configprotecteddata >
<providers>
<add name= "Abeenprovider"
Type= "System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, version=2.0.0.0,culture= Neutral, Processorarchitecture=msil "
Keycontainername= "Abeenkeys"/>
</providers>
</configProtectedData>

Step 4:encrypt the <connectionStrings> section of your Web.config file
Encrypt the configuration section in your Web.config file
> aspnet_regiis-pe "connectionstrings"-app "/connectiontest"
Step 5: Grant access to the RSA key container
You can determine which user rights should be given by using the following code
Response.Write (System.Security.Principal.WindowsIdentity.GetCurrent (). Name);
By default, the RSA key container is tightly protected by the NTFS access Control List (ACL) on the host server. This can limit the people who can access the encryption key, thereby enhancing the security of the encrypted information. You must first grant read access to the RSA key container to the process identity of the ASP.net application before asp.net can use the RSA key container. You can use the Aspnet_regiis.exe tool and the-PA switch to grant the identity of the ASP.net application the ability to read the RSA key container. For example, the following command grants read access to a computer-level RSA key container named Abeenkeys to the Windows Server 2003 Network SERVICE Account:
Aspnet_regiis-pa "Abeenkeys" "NT authority\network SERVICE"
Attention:
If the RSA key container is a user-level container, you must be logged on as the user whose Windows profile stores the key, and you must include the-PKU option to grant access to the user-level RSA key container.
To use the default RsaProtectedConfigurationProvider specified in the computer configuration, you must first grant the Windows identity of the application the name NetFrameworkConfigurationKey The access rights of the computer key container, which is the key container specified for the default provider. For example, the following command grants the network SERVICE account access to the RSA key container used by the default RsaProtectedConfigurationProvider.
Aspnet_regiis-pa "NetFrameworkConfigurationKey" "NT authority\network SERVICE"
The NetFrameworkConfigurationKey RSA key container is the default key container for commands issued by the Aspnet_regiis.exe tool. The above order may therefore also be issued in the following manner:
Aspnet_regiis-pa "NT authority\network SERVICE"