Encrypt the connection string in Webconfig, using RSA Asymmetric encryption to save the key container with Windows

Source: Internet
Author: User
Tags asymmetric encryption connectionstrings

A simple workaround:

Webconfig decryption, failed to decrypt with provider "RsaProtectedConfigurationProvider". The provider returned an error message: The RSA key container could not be opened.
Issue: Not added to access RSA key container
Command:aspnet_regiis-pa "NetFrameworkConfigurationKey" "NT authority/network SERVICE"
Caveats: XP under: Aspnet_regiis-pa "NetFrameworkConfigurationKey" "ASPNET"
Encryption:aspnet_regiis-pe "appSettings"-app "/Application Name"
Decryption:aspnet_regiis-pd "appSettings"-app "/Application name" such as (/petshop/web)

A more flexible solution:
1. Create a key container
aspnet_regiis-pc "Connectionstringskey"-exp
Connectionstringskey is the name of the key container
You can use aspnet_regiis/? To view the use of this command

2. Add the following to the Web. config

[C-sharp]View Plaincopy print?
  1. <configProtectedData>
  2. <providers>
  3. <clear/>
  4. <add name="Connectionstringskeyprovider"
  5. Type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, version=2.0.0.0,culture= Neutral, publickeytoken=b03f5f7f11d50a3a, Processorarchitecture=msil "
  6. Keycontainername="Connectionstringskey"
  7. usemachinecontainer="true"/>
  8. </providers>
  9. </configProtectedData>


3. by command line : Encrypts the specified configuration section of the Web. config file under the specified directory with the specified key
Aspnet_regiis-pef "ConnectionStrings" "D:/testproj/websitetest"-prov "Connectionstringskeyprovider"
For sub-configuration section/delimited representations, such as the identity configuration stanza needs to be written as "system.web/identity"
4. If you access the Web program, the page prompts Error message from the Provider:the RSA key Container could is not opened.
is due to the inability of the Network Service account to access the key file. Locate the key file and give the network service Read permission. The key file is located (can be sorted by time to find the key file that you generated)
vista:c:/programdata/microsoft/crypto/rsa/machinekeys/
XP or other: C:/Documents and Settings/all users/application Data/microsoft/crypto/rsa/machinekeys

Now: To view the encrypted token, the content is already encrypted.

5. through the. aspx page : Encrypted connection string: interface

Background code:

[C-sharp]View Plaincopy print?
  1. Encrypt button
  2. protected void button1_click (object sender, EventArgs e)
  3. {
  4. //① the nodes that require encryption:
  5. string name = @"connectionStrings";
  6. //② current path;
  7. string appPath = "/logincontral";
  8. Configuration config = webconfigurationmanager.openwebconfiguration (appPath);
  9. //③ provides encryption: (using custom encryption in this way)
  10. //String Provider = "Rsaprotectconfigurationprovider";
  11. string Provider = "Connectionstringskeyprovider";
  12. Config. GetSection (name). Sectioninformation.protectsection (provider);
  13. //⑤ Saving the Web. config file
  14. Try
  15. {
  16. Config. Save ();
  17. }
  18. catch (Exception ex)
  19. {
  20. Response.Write (ex. Message);
  21. }
  22. if (config. GetSection (name). sectioninformation.isprotected)
  23. {
  24. button1.enabled = false;
  25. Response.Write ("Encryption succeeded!   ");
  26. }
  27. Else
  28. {
  29. Response.Write ("Encryption failed!   ");
  30. }
  31. }
  32. Decrypt button:
  33. protected void button2_click (object sender, EventArgs e)
  34. {
  35. //① requires node-dense nodes:
  36. string name = @"connectionStrings";
  37. //② current path;
  38. string appPath = "/logincontral";
  39. Configuration config = webconfigurationmanager.openwebconfiguration (appPath);
  40. //③ Use the Unprotectsection method to decrypt;
  41. Config. GetSection (name). Sectioninformation.unprotectsection ();
  42. //④ Saving the Web. config file
  43. Config. Save ();
  44. if (config. GetSection (name). sectioninformation.isprotected==false)
  45. {
  46. button2.enabled = false;
  47. Response.Write ("decryption succeeds!   ");
  48. }
  49. Else
  50. {
  51. Response.Write ("Decryption failed!   ");
  52. }
  53. }

Note: string appPath = "/logincontral" is the current project path;

Connection string before encryption:

[C-sharp]View Plaincopy print?
    1. <connectionStrings>
    2. <add name="Connection" connectionstring= "data source=.; Database=aspnetdb;user id=sa;pwd=123; "/>
    3. </connectionStrings>


After the encrypted connection string:

[C-sharp]View Plaincopy print?
  1. <connectionstrings configprotectionprovider="Connectionstringskeyprovider" >
  2. <encrypteddata type="Http://www.w3.org/2001/04/xmlenc#Element"
  3. xmlns="http://www.w3.org/2001/04/xmlenc#" >
  4. <encryptionmethod algorithm="HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC"/>
  5. <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#" >
  6. <encryptedkey xmlns="http://www.w3.org/2001/04/xmlenc#" >
  7. <encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
  8. <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#" >
  9. <keyname>rsa key</keyname>
  10. </KeyInfo>
  11. <CipherData>
  12. <ciphervalue>aepogg4vvhd8k6nvhvmdo8fagfmopoddvnbn5vpv0mxp8ngrimnzfvflrhhvooiu56mcmmr6n5cunixzimgb/ Ztgcnmsiku8sr6ytx8iuh64u9ivujwaoabtzp4ahlhmih6ywkhxjmqrjyys2ecsocquzq0ndkkc3omg/ucoik0=</ciphervalue>
  13. </CipherData>
  14. </EncryptedKey>
  15. </KeyInfo>
  16. <CipherData>
  17. <ciphervalue>bimah/6vwvi0fkvqijpszzkhk+a6qni0aa794yxi1x+ sffkdtsur15hvcbyolborckprhx94mpom2ekobqyvycf24pdyakiffazo1sluzmutcxfvu/ Ltbqn83bnjdgbgo6evtdg4m7dsavr6qwyep8wysqwwubkwslzsmynqpoyghvb9btvjbscwiuz4ynfhvutzigisjqa=</ciphervalue>
  18. </CipherData>
  19. </EncryptedData>
  20. </connectionStrings>


Other backup operations:
1. Decrypt the Web. config
aspnet_regiis-pdf "connectionStrings" "D:/testproj/websitetest"
2. Export the key container as an XML file
aspnet_regiis-px "Connectionstringskey" "C:/key.xml"。     aspnet_regiis-px "Connectionstringskey" "C:/keys.xml "-pri   This one is exported with the private key, so we'll use this       If you delete and then run the program, you will be prompted with an error: &NBSP;
Span style= "color: #000000;" >    Parser Error message: Failed to decrypt with provider "Lixinkeyprovider". The provider returned an error message: The RSA key container could not be opened.  
    also proves that on any machine that does not have the correct key container Lixinkey installed, The connectionstrings section cannot be decrypted by the program and therefore will not function properly.
      aspnet_regiis-pi "Lixinkey" "C:/keys.xml"

at this point, running the program will find that it can be decrypted again. Prove that the encryption and decryption mechanism is running normally.
Finally, let's talk about how the security guarantees provided by this mechanism can be used:
1. Encrypting the App. config for the WinForm program does not make much sense, because the client can, however, run aspnet_regiis-pdf to decrypt the configuration file, exposing sensitive information.
2. The significance of encrypting Web. config is also limited to that when the Web. config file is accidentally compromised, no sensitive information is disclosed, and if a malicious attacker has obtained permission to run the program on the server, as with App. config, it can be easily passed by running the ASPNET _regiis-pdf gets the clear text.
3. Also, through the Aspnet_regiis-pa "key" "NT authority/network SERVICE" Control access to the key container for different users, you should also be able to further obtain some security, such as can control some users even log on to the server, It is also not possible to decrypt the configuration file with Aspnet_regiis-pdf.

Encrypt the connection string in Webconfig, using RSA Asymmetric encryption to save the key container with Windows

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.