A simple workaround:
Webconfig decryption, failed to decrypt with provider "RsaProtectedConfigurationProvider". The provider returned an error message: The RSA key container could not be opened.
Issue: Not added to access RSA key container
Command:aspnet_regiis-pa "NetFrameworkConfigurationKey" "NT authority/network SERVICE"
Caveats: XP under: Aspnet_regiis-pa "NetFrameworkConfigurationKey" "ASPNET"
Encryption:aspnet_regiis-pe "appSettings"-app "/Application Name"
Decryption:aspnet_regiis-pd "appSettings"-app "/Application name" such as (/petshop/web)
A more flexible solution:
1. Create a key container
aspnet_regiis-pc "Connectionstringskey"-exp
Connectionstringskey is the name of the key container
You can use aspnet_regiis/? To view the use of this command
2. Add the following to the Web. config
[C-sharp]View Plaincopy print?
- <configProtectedData>
- <providers>
- <clear/>
- <add name="Connectionstringskeyprovider"
- Type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, version=2.0.0.0,culture= Neutral, publickeytoken=b03f5f7f11d50a3a, Processorarchitecture=msil "
- Keycontainername="Connectionstringskey"
- usemachinecontainer="true"/>
- </providers>
- </configProtectedData>
3. by command line : Encrypts the specified configuration section of the Web. config file under the specified directory with the specified key
Aspnet_regiis-pef "ConnectionStrings" "D:/testproj/websitetest"-prov "Connectionstringskeyprovider"
For sub-configuration section/delimited representations, such as the identity configuration stanza needs to be written as "system.web/identity"
4. If you access the Web program, the page prompts Error message from the Provider:the RSA key Container could is not opened.
is due to the inability of the Network Service account to access the key file. Locate the key file and give the network service Read permission. The key file is located (can be sorted by time to find the key file that you generated)
vista:c:/programdata/microsoft/crypto/rsa/machinekeys/
XP or other: C:/Documents and Settings/all users/application Data/microsoft/crypto/rsa/machinekeys
Now: To view the encrypted token, the content is already encrypted.
5. through the. aspx page : Encrypted connection string: interface
Background code:
[C-sharp]View Plaincopy print?
- Encrypt button
- protected void button1_click (object sender, EventArgs e)
- {
- //① the nodes that require encryption:
- string name = @"connectionStrings";
- //② current path;
- string appPath = "/logincontral";
- Configuration config = webconfigurationmanager.openwebconfiguration (appPath);
- //③ provides encryption: (using custom encryption in this way)
- //String Provider = "Rsaprotectconfigurationprovider";
- string Provider = "Connectionstringskeyprovider";
- Config. GetSection (name). Sectioninformation.protectsection (provider);
- //⑤ Saving the Web. config file
- Try
- {
- Config. Save ();
- }
- catch (Exception ex)
- {
- Response.Write (ex. Message);
- }
- if (config. GetSection (name). sectioninformation.isprotected)
- {
- button1.enabled = false;
- Response.Write ("Encryption succeeded! ");
- }
- Else
- {
- Response.Write ("Encryption failed! ");
- }
- }
- Decrypt button:
- protected void button2_click (object sender, EventArgs e)
- {
- //① requires node-dense nodes:
- string name = @"connectionStrings";
- //② current path;
- string appPath = "/logincontral";
- Configuration config = webconfigurationmanager.openwebconfiguration (appPath);
- //③ Use the Unprotectsection method to decrypt;
- Config. GetSection (name). Sectioninformation.unprotectsection ();
- //④ Saving the Web. config file
- Config. Save ();
- if (config. GetSection (name). sectioninformation.isprotected==false)
- {
- button2.enabled = false;
- Response.Write ("decryption succeeds! ");
- }
- Else
- {
- Response.Write ("Decryption failed! ");
- }
- }
Note: string appPath = "/logincontral" is the current project path;
Connection string before encryption:
[C-sharp]View Plaincopy print?
- <connectionStrings>
- <add name="Connection" connectionstring= "data source=.; Database=aspnetdb;user id=sa;pwd=123; "/>
- </connectionStrings>
After the encrypted connection string:
[C-sharp]View Plaincopy print?
- <connectionstrings configprotectionprovider="Connectionstringskeyprovider" >
- <encrypteddata type="Http://www.w3.org/2001/04/xmlenc#Element"
- xmlns="http://www.w3.org/2001/04/xmlenc#" >
- <encryptionmethod algorithm="HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC"/>
- <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#" >
- <encryptedkey xmlns="http://www.w3.org/2001/04/xmlenc#" >
- <encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
- <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#" >
- <keyname>rsa key</keyname>
- </KeyInfo>
- <CipherData>
- <ciphervalue>aepogg4vvhd8k6nvhvmdo8fagfmopoddvnbn5vpv0mxp8ngrimnzfvflrhhvooiu56mcmmr6n5cunixzimgb/ Ztgcnmsiku8sr6ytx8iuh64u9ivujwaoabtzp4ahlhmih6ywkhxjmqrjyys2ecsocquzq0ndkkc3omg/ucoik0=</ciphervalue>
- </CipherData>
- </EncryptedKey>
- </KeyInfo>
- <CipherData>
- <ciphervalue>bimah/6vwvi0fkvqijpszzkhk+a6qni0aa794yxi1x+ sffkdtsur15hvcbyolborckprhx94mpom2ekobqyvycf24pdyakiffazo1sluzmutcxfvu/ Ltbqn83bnjdgbgo6evtdg4m7dsavr6qwyep8wysqwwubkwslzsmynqpoyghvb9btvjbscwiuz4ynfhvutzigisjqa=</ciphervalue>
- </CipherData>
- </EncryptedData>
- </connectionStrings>
Other backup operations:
1. Decrypt the Web. config
aspnet_regiis-pdf "connectionStrings" "D:/testproj/websitetest"
2. Export the key container as an XML file
aspnet_regiis-px "Connectionstringskey" "C:/key.xml"。 aspnet_regiis-px "Connectionstringskey" "C:/keys.xml "-pri This one is exported with the private key, so we'll use this If you delete and then run the program, you will be prompted with an error: &NBSP;
Span style= "color: #000000;" > Parser Error message: Failed to decrypt with provider "Lixinkeyprovider". The provider returned an error message: The RSA key container could not be opened.
also proves that on any machine that does not have the correct key container Lixinkey installed, The connectionstrings section cannot be decrypted by the program and therefore will not function properly.
aspnet_regiis-pi "Lixinkey" "C:/keys.xml"
at this point, running the program will find that it can be decrypted again. Prove that the encryption and decryption mechanism is running normally.
Finally, let's talk about how the security guarantees provided by this mechanism can be used:
1. Encrypting the App. config for the WinForm program does not make much sense, because the client can, however, run aspnet_regiis-pdf to decrypt the configuration file, exposing sensitive information.
2. The significance of encrypting Web. config is also limited to that when the Web. config file is accidentally compromised, no sensitive information is disclosed, and if a malicious attacker has obtained permission to run the program on the server, as with App. config, it can be easily passed by running the ASPNET _regiis-pdf gets the clear text.
3. Also, through the Aspnet_regiis-pa "key" "NT authority/network SERVICE" Control access to the key container for different users, you should also be able to further obtain some security, such as can control some users even log on to the server, It is also not possible to decrypt the configuration file with Aspnet_regiis-pdf.
Encrypt the connection string in Webconfig, using RSA Asymmetric encryption to save the key container with Windows