Configuration section in encrypting Web.config file in asp.net 2.0

asp.net|web| encryption

Added to the asp.net2.0 is the ability to encrypt part of the data in Web.config, which can be encrypted using RsaProtectedConfigurationProvider and Dpapiprotectedconfigurationprovider, as described in this article Steps for encrypting using Rsaprotectedconfigurationprovidert and machine-level key containers.

1. First determine if the configuration section in the Web.config to be encrypted can be encrypted

2. Create an RSA key container

3. Identify the key container to use in Web.config

4. Encrypt the web.config

5. Grant access to the RSA key container

Step 1: First determine if the configuration section in the Web.config to be encrypted can be encrypted
ASP.net 2.0 supports encrypting part of the configuration section of Web.config, and the data in the following configuration section cannot be encrypted:

<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>

STEP2: Creating an RSA key container
To create an RSA key container, use the ASP.net IIS Registration tool (Aspnet_regiis.exe) and the –pc switch. You must specify a name for the key container that identifies the key container used by the RsaProtectedConfigurationProvider specified in the configProtectedData section of the application's Web.config file. To ensure that the newly created RSA key container can be exported, you must include the-EXP option.

For example, the following command creates an RSA key container named Abeenkeys, which is an exportable computer-level key container.

ASPNET_REGIIS-PC "Abeenkeys" –exp

Step 3:modify web.config to identify the key container
Edit the Web.config file to identify the key container to use

<configProtectedData> in Web.config to configure the key container, using the computer-level RSA key container named Abeenkeys.
Add xmlns attribute to <configuration>

<configuration xmlns= "http://schemas.microsoft.com/. Netconfiguration/v2.0 "> uses the Saprotectedconfigurationprovider of a computer-level RSA key container named Abeenkeys.
<configprotecteddata > <providers> <add name= "Abeenprovider" type= "System.Configuration.RsaPr"      Otectedconfigurationprovider, System.Configuration, version=2.0.0.0,culture=neutral, ProcessorArchitecture=MSIL " Keycontainername= "Abeenkeys"/> </providers> </configProtectedData>
Step 4:encrypt the <connectionStrings> section of your Web.config file
Encrypt the configuration section in your Web.config file

> aspnet_regiis-pe "connectionstrings"-app "/connectiontest"

Step 5: Grant access to the RSA key container
You can determine which user rights should be given by using the following code

Response.Write (System.Security.Principal.WindowsIdentity.GetCurrent (). Name);
By default, the RSA key container is tightly protected by the NTFS access Control List (ACL) on the host server. This can limit the people who can access the encryption key, thereby enhancing the security of the encrypted information. You must first grant read access to the RSA key container to the process identity of the ASP.net application before asp.net can use the RSA key container. You can use the Aspnet_regiis.exe tool and the-PA switch to grant the identity of the ASP.net application the ability to read the RSA key container. For example, the following command grants read access to a computer-level RSA key container named Abeenkeys to the Windows Server 2003 Network SERVICE Account:

Aspnet_regiis-pa "Abeenkeys" "NT authority\network SERVICE"
Attention:

If the RSA key container is a user-level container, you must be logged on as the user whose Windows profile stores the key, and you must include the-PKU option to grant access to the user-level RSA key container.

To use the default RsaProtectedConfigurationProvider specified in the computer configuration, you must first grant the Windows identity of the application the name NetFrameworkConfigurationKey The access rights of the computer key container, which is the key container specified for the default provider. For example, the following command grants the network SERVICE account access to the RSA key container used by the default RsaProtectedConfigurationProvider.

Aspnet_regiis-pa "NetFrameworkConfigurationKey" "NT authority\network SERVICE"
The NetFrameworkConfigurationKey RSA key container is the default key container for commands issued by the Aspnet_regiis.exe tool. The above order may therefore also be issued in the following manner:

Aspnet_regiis-pa "NT authority\network SERVICE"

Code Download Http://www.cnblogs.com/Files/abeen/connectionTest.rar
Note: I found this method has a flaw, which is after each encryption, restart the computer to find IIS Admin error, but also reinstall IIS depressed