Configuration error: the provider RsaProtectedConfigurationProvider cannot be used for decryption. The error message returned by the provider is: the RSA key container cannot be opened.

If you want to encrypt the database connection string of web. config, two methods are provided here.

Method 1,
Use DataProtectionConfigurationProvider to create the test. aspx file. The Code is as follows:
Add reference
Using System. Web. Configuration;
Using System. IO;

// Encryption
Protected void button#click (object sender, EventArgs e)
{
Configuration config = WebConfigurationManager. OpenWebConfiguration (Request. ApplicationPath );
ConfigurationSection section = config. GetSection ("connectionStrings ");

If (section! = Null &&! Section. SectionInformation. IsProtected)
{
Section. SectionInformation. ProtectSection ("DataProtectionConfigurationProvider ");
Config. Save ();
}

}
// Decrypt
Protected void Button2_Click (object sender, EventArgs e)
{
Configuration config = WebConfigurationManager. OpenWebConfiguration (Request. ApplicationPath );
ConfigurationSection section = config. GetSection ("connectionStrings ");

If (section! = Null & section. SectionInformation. IsProtected)
{
Section. SectionInformation. UnprotectSection ();
Config. Save ();
}
}

Conclusion: This method is convenient and simple, but the security is not highly secure.

Method 2,
Use the "rsaprotectedconfigurationprovider" format for encryption
The test. aspx program file is basically the same as above,
Set
Section. sectioninformation. protectsection ("dataprotectionconfigurationprovider ");
Change
Section. sectioninformation. protectsection ("rsaprotectedconfigurationprovider ");
However, when you visit the website, it is very likely that

Note: An error occurred while processing the configuration file required to provide services to the request. Check the following error details and modify the configuration file as appropriate.
Analyzer error message: the provider "rsaprotectedconfigurationprovider" cannot be used for decryption. The error message returned by the provider is: the RSA key container cannot be opened.

The solution to this error is:
Run in DOS: aspnet_regiis-pa "netframeworkconfigurationkey" "nt authority \ Network Service"
If an error occurs, put the directory c: \ windows \ Microsoft. NET \ framework \ v2.0.50727 in the path environment variable.
Then you can access the website successfully.
You can also use the command line to implement "RSAProtectedConfigurationProvider" encryption.

Note: You can also register the RSA key container of the default RsaProtectedConfigurationProvider without running the aspnet_regiis-pa "NetFrameworkConfigurationKey" "nt authority \ network service" command.
The method is as follows:
1) Create an exported rsa Key container named Key

Aspnet_regiis-pc "Key"-exp

2) specify the key container before the information you want to encrypt, such:

<ConfigProtectedData>

<Providers>

<Clear/>

<Add name = "KeyProvider"

Type = "System. Configuration. RsaProtectedConfigurationProvider, System. Configuration, Version = 2.0.0.0, Culture = neutral, PublicKeyToken = b03f5f7f11d50a3a, processorArchitecture = MSIL"

KeyContainerName = "Key"

UseMachineContainer = "true"/>

</Providers>

</ConfigProtectedData>

<ConnectionStrings>

<Add name = "SQLConnString" connectionString = "Data Source = yourIP; Initial Catalog = test; User Id = yourID; Password = yourPassword ;"

ProviderName = "System. Data. SqlClient"/>

</ConnectionStrings>

Make sure that the xmlns attribute in configuration has the following values:

<Configuration xmlns = "http://schemas.microsoft.com/.NetConfiguration/v2.0">

3) encrypt the configuration file

Aspnet_regiis-Arg "connectionStrings" "E: \ project \ Test"-prov "KeyProvider"

The parameters are: configuration section to be encrypted, physical path of the project directory, and secret key container name used for encryption.

Looking at the web. config file, you will find that the connectionStrings section has been encrypted, but you will find that the program can still access the database correctly when running the program.

In this case, you only need to run:

Aspnet_regiis-pdf "connectionStrings" "E: \ project \ Test"

You can decrypt the web. config file.

(Note: if there is still an error, it may be that you do not have sufficient permissions for the generated key file to go to C: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Crypto \ RSA \ MachineKeys directory,
Find the generated key file and grant it the read permission of the network service user. You can use the following command: the command is as follows: aspnet_regiis-pa "Key" "nt authority \ network service", you may need to restart iis)

4) export the key container as an xml file

Aspnet_regiis-px "Key" "e: \ Key. xml"

This command only exports the public key, so it can only be used for encryption and cannot be decrypted later.

Aspnet_regiis-px "Key" "e: \ Keys. xml"-pri

The private key is exported together, so we need to use this.

5) Delete the key container

Aspnet_regiis-pz "Key"

After the program is deleted, an error occurs:

Analyzer error message: failed to use the provider "KeyProvider" for decryption. The error message returned by the provider is: the RSA key container cannot be opened.

Likewise, it can be proved that the program cannot decrypt the connectionStrings section on any machine that does not have the correct Key container Key installed, so it cannot run properly.

6) import the key. xml file

Aspnet_regiis-pi "Key" "e: \ Keys. xml"

Then, run the program and you will find that it can be decrypted again. This proves that the encryption and decryption mechanism works properly.

Finally, let's talk about the security protection provided by this mechanism in what aspects:

It is not significant to encrypt the app. config of the winform program because the client can decrypt the configuration file by running aspnet_regiis-pdf to expose sensitive information.

For web. the significance of config encryption is limited. when the config file is accidentally leaked, it does not expose sensitive information at the same time. If a malicious attacker has obtained the permission to run the program on the server, it is the same as the app. like config, you can easily obtain plaintext by running aspnet_regiis-pdf.

In addition, you can use aspnet_regiis-pa "Key" "nt authority \ network service" to control access permissions to Key containers of different users. Further security measures should be available, for example, some users cannot use aspnet_regiis-pdf to decrypt the configuration file even if they log on to the server.