ASP. NET 2.0 encrypted Web. config configuration file (domestic version)

Overview:
Use protected configurations for encryption Web Applications Sensitive information (including user name and password, Database connection string and encryption key ). After the configuration information line is encrypted, attackers can obtain access to the configuration file, which makes it difficult for them to obtain access to sensitive information, thus improving application security. .

Usage:
In ASP. in net2.0, the web. you can use rsaprotectedconfigurationprovider and dpapiprotectedconfigurationprovider to encrypt some data in config. This document describes how to use rsaprotectedconfigurationprovidert and a computer-level key container for encryption.

Before encryption: <connectionstrings>
<Add name = "pubs" connectionstring = "Server = localhost; Integrated Security = true; database = pubs"
Providername = "system. Data. sqlclient"/>
<Add name = "northwind" connectionstring = "Server = localhost; Integrated Security = true; database = northwind"
Providername = "system. Data. sqlclient"/>
</Connectionstrings>

After encryption, We need to: <connectionstrings>
<Encrypteddata>
<Cipherdata>
<Ciphervalue> aqaaancmndjhoaw... </ciphervalue>
</Cipherdata>
</Encrypteddata>
</Connectionstrings>

There are two methods:
1. Use the default RSA key container.
2. customizes your RSA key container, but you need to set security access permissions here.

First, we will introduce how to do this by default:
1. Open notepad and copy the following code to a new file. <% @ Page Language = "C #" %>
<%
Response. Write (system. Security. Principal. windowsidentity. getcurrent (). Name );
%>

Save my. aspx to your web directory and run the form to display "nt authority/network service"

2. (key step) Run CMD and run the following cd % WINDOWS %/Microsoft. NET/framework/versionnumber
Aspnet_regiis-pa "netframeworkconfigurationkey" "nt authoritynetwork service"

Note: register the RSA key container of the default rsaprotectedconfigurationprovider,
Netframeworkconfigurationkey is the default provider of rsaprotectedconfigurationprovider.

3. Now, you can encrypt web. config and run:
Encryption:

Aspnet_regiis-pe "connectionstrings"-app "/myweb"

Note: "connectionstrings" is the section to be encrypted. "/myweb" is the web directory.
Decryption: aspnet_regiis-Pd "connectionstrings"-app "/myweb"

4. In this way, you can call it in the Program (no decryption is required )...
String connstr = configurationmanager. connectionstrings ["myconnstr"]. connectionstring. tostring ();
...

You can also create your own RSA key container as follows:
1. Create a "mykeys" key container and run: aspnet_regiis-PC "mykeys"-exp

2. Add the following code to Web. config: <protecteddata>
<Providers>
<Add name = "myprovider"
Type = "system. configuration. rsaprotectedconfigurationprovider, system. configuration, version = 2.0. 0.0,
Culture = neutral, publickeytoken = b03f5f7f11d0a3a,
Processorarchitecture = msil"
Keycontainername = "mykeys"
Usemachinecontainer = "true"/>
</Providers>
</Protecteddata>

Save web. config

3. Authorize the account to access the computer-level "mykeys" RSA key container and run: aspnet_regiis-pa "mykeys" "nt authoritynetwork service"

4. Now, you can encrypt web. config and run:
Encryption: aspnet_regiis-pe "connectionstrings"-app "/myweb"-prov "myprovider"

Note: "connectionstrings" is the section to be encrypted, "/myweb" is the web directory, and "myprovider" is the private key container.
Decryption: aspnet_regiis-Pd "connectionstrings"-app "/myweb"-prov "myprovider"

This is OK!
-------------------------- If you want to decrypt the configuration section. This parameter uses the following optional parameters:

·-The app virtualpath specifies that decryption should be performed at the included path level.
·-Location subpath specifies the subdirectory to be decrypted.
·-PKM specifies that the machine. config file should be decrypted instead of the web. config file.
·-PDF section webapplicationdirectory decrypts the specified configuration section of the web. config file in the specified physical (non-virtual) directory.
·-PE section

Encrypts the specified configuration section. This parameter uses the following optional modifier:

·-Prov provider specifies the encryption provider to be used.
·-App virtualpath indicates that encryption should be performed at the included path level.
·-Location subpath specifies the subdirectory to be encrypted.
-PKM specifies that the machine. config file should be encrypted instead of the web. config file.
·-Ave section webapplicationdirectory encrypts the specified configuration section of the web. config file in the specified physical (non-virtual) directory.