How to encrypt Config in asp.net

Source: Internet
Author: User

Copy codeThe Code is as follows: <etettings>
<! -- Whether the connection string is encrypted -->
<Add key = "ConStringEncrypt" value = "false"/>
<! -- Connection string, which can be expanded to support different databases. If the encryption method is used, set the preceding parameter to true. If the plaintext server is 127.0.0.1; database = codematic; uid = sa; pwd =, set it to false -->
<Add key = "ConnectionString" value = "Data Source = | DataDirectory | \ wm. mdb; Persist Security Info = True"/>
<! -- Permission module connection string -->
<Add key = "ConnectionStringAccounts" value = "Data Source = | DataDirectory | \ wm. mdb; Persist Security Info = True"/>
<Add key = "ConnectionString2" value = "Data Source = | DataDirectory | \ wm. mdb; Persist Security Info = True"/>
<! -- Virtual directory name (blank if it is a site) -->
<Add key = "VirtualPath" value = ""/>
<! -- Logon page address -->
<Add key = "LoginPage" value = "admin/Login. aspx"/>
<! -- Whether the default menu is expanded -->
<Add key = "MenuExpanded" value = "false"/>
<! -- The time (in minutes) for the object content to slow down the village -->
<Add key = "ModelCache" value = "30"/>
</AppSettings>

In asp. in net2.0, the web. you can use RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider to encrypt some data in config. This document describes how to use RSAProtectedConfigurationProvidert and a computer-level key container for encryption.
1. First, determine whether the configuration section in web. config to be encrypted can be encrypted.
2. Create an RSA key container
3. Identify the key container to be used in web. config
4. encrypt web. config
5. GRANT access permissions to the RSA key container
Step 1: first, determine whether the configuration section in web. config to be encrypted can be encrypted.
ASP. NET 2.0 supports encryption of some configuration sections of Web. config. Data in the following configuration sections cannot be encrypted:Copy codeThe Code is as follows: * <processModel>
* <Runtime>
* <Mscorlib>
* <Startup>
* <System. runtime. remoting>
* <ConfigProtectedData>
* <Satelliteassemblies>
* <CryptographySettings>
* <CryptoNameMapping>
* <CryptoClasses>

Step 2: Create an RSA key container
To create an RSA key container, use ASP. net iis registration tool (Aspnet_regiis.exe) and the-pc switch. You must specify a name for the key container, which identifies the key container used by RsaProtectedConfigurationProvider specified in configProtectedData of the Web. config file of the application. To ensure that the newly created RSA key container can be exported, the-exp option must be included.
For example, the following command creates an RSA key container named ABeenKeys, which is a computer-level key container that can be exported.
Aspnet_regiis-pc "ABeenKeys"-exp
Step 3: Modify web. config to identify the key container
Edit the Web. config file to identify the key container to be used
In web. config, <configProtectedData> is used to configure the key container.
Add the xmlns attribute to <configuration>.
<Configuration xmlns = "http://schemas.microsoft.com/.NetConfiguration/v2.0">
Use saProtectedConfigurationProvider of a computer-level RSA key container named ABeenKeys.Copy codeThe Code is as follows: <configProtectedData>
<Providers>
<Add name = "ABeenProvider"
Type = "System. Configuration. RsaProtectedConfigurationProvider, System. Configuration, Version = 2.0.0.0, Culture = neutral, processorArchitecture = MSIL"
KeyContainerName = "ABeenKeys"/>
</Providers>
</ConfigProtectedData>

Step 4: Encrypt the <connectionStrings> section of your web. config file
Encrypt the configuration section in your web. config file
> Aspnet_regiis-pe "connectionStrings"-app "/connectionTest"
Step 5: grant access permissions to the RSA key container
Use the following code to determine which user permissions should be granted
Response. Write (System. Security. Principal. WindowsIdentity. GetCurrent (). Name );
By default, the RSA key container is strictly protected by the NTFS access control list (ACL) on the server where it is located. In this way, users who can access the encryption key can be restricted to enhance the security of the encrypted information. You must first grant the Read access permission to the RSA key container to the process ID of the ASP. NET application before ASP. NET can use the RSA key container. You can use the Aspnet_regiis.exe tool and the-pa switch to grant the permission to read the RSA key container to the ASP. NET Application ID. For example, the following command grants the Windows Server 2003 network service account the Read access permission to the computer-level RSA key container named ABeenKeys:
Aspnet_regiis-pa "ABeenKeys" "nt authority \ network service"
Note:
If the RSA key container is a user-level container, you must log on as the user whose key is stored in the Windows configuration file, the-pku option must be included to grant access to the user-level RSA key container.
To use the default RsaProtectedConfigurationProvider specified in computer configuration, you must first grant access to the computer key container named NetFrameworkConfigurationKey to the Windows ID of the application, the computer key container is the key container specified for the default provider. For example, the following command grants the network service account the access permission to the RSA key container used by the default RsaProtectedConfigurationProvider.
Aspnet_regiis-pa "NetFrameworkConfigurationKey" "nt authority \ network service"
The NetFrameworkConfigurationKey RSA key container is the default key container for commands issued by the Aspnet_regiis.exe tool. Therefore, the preceding command can be issued as follows:
Aspnet_regiis-pa "nt authority \ network service"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.