In ASP. in net2.0, the web. you can use rsaprotectedconfigurationprovider and dpapiprotectedconfigurationprovider to encrypt some data in config. This document describes how to use rsaprotectedconfigurationprovidert and a computer-level key container for encryption.
1. First, determine whether the configuration section in Web. config to be encrypted can be encrypted.
2. Create an RSA key container
3. Identify the key container to be used in Web. config
4. encrypt web. config
5. GRANT access permissions to the RSA key container
Step 1: first, determine whether the configuration section in Web. config to be encrypted can be encrypted.
ASP. NET 2.0 supports encryption of some configuration sections of Web. config. Data in the following configuration sections cannot be encrypted:
<Processmodel>
<Runtime>
<Mscorlib>
<Startup>
<System. runtime. remoting>
<Configprotecteddata>
<Satelliteassemblies>
<Cryptographysettings>
<Cryptonamemapping>
<Cryptoclasses>
Step 2: Create an RSA key container
To create an RSA key container, use ASP. net iis registration tool (aspnet_regiis.exe) and the-PC switch. You must specify a name for the key container to identify the application.ProgramThe secret container used by rsaprotectedconfigurationprovider specified in the configprotecteddata section of the web. config file. To ensure that the newly created RSA key container can be exported, the-exp option must be included.
For example, the following command creates an RSA key container named abeenkeys, which is a computer-level key container that can be exported.
Aspnet_regiis-PC "abeenkeys"-exp
Step 3: modify web. config to identify the key container
Edit the Web. config file to identify the key container to be used
In web. config, <configprotecteddata> is used to configure the key container, and the computer-level RSA key container named abeenkeys is used to add the xmlns attribute to <configuration>.
<Configuration xmlns = "http://schemas.microsoft.com/.NetConfiguration/v2.0"> Use saprotectedconfigurationprovider for a computer-level RSA key container named abeenkeys. <Configprotecteddata> <providers> <Add name = "abeenprovider" type = "system. configuration. rsaprotectedconfigurationprovider, system. configuration, version = 2.0.0.0, culture = neutral, processorarchitecture = msil "keycontainername =" abeenkeys "/> </providers> </configprotecteddata> Step 4: encrypt the <connectionstrings> section of your web. config File
Encrypt the configuration section in your web. config file
> Aspnet_regiis-pe "connectionstrings"-app "/connectiontest" Step 5: grant access permissions to the RSA key container
You can use the followingCodeDetermine which user permission should be granted
Response. Write (system. Security. Principal. windowsidentity. getcurrent (). Name );
By default, the RSA key container is strictly protected by the NTFS access control list (ACL) on the server where it is located. In this way, users who can access the encryption key can be restricted to enhance the security of the encrypted information. You must first grant the Read access permission to the RSA key container to the process ID of the ASP. NET application before ASP. NET can use the RSA key container. You can use the aspnet_regiis.exe tool and the-pa switch to grant the permission to read the RSA key container to the ASP. NET Application ID. For example, the following command grants the Windows Server 2003 network service account the Read access permission to the computer-level RSA key container named abeenkeys:
Aspnet_regiis-pa "abeenkeys" "nt authority \ Network Service" Note:
If the RSA key container is a user-level container, you must log on as the user whose key is stored in the Windows configuration file, the-PKU option must be included to grant access to the user-level RSA key container.
To use the default rsaprotectedconfigurationprovider specified in computer configuration, you must first grant access to the computer key container named netframeworkconfigurationkey to the Windows ID of the application, the computer key container is the key container specified for the default provider. For example, the following command grants the network service account the access permission to the RSA key container used by the default rsaprotectedconfigurationprovider.
Aspnet_regiis-pa "netframeworkconfigurationkey" "nt authority \ Network Service" netframeworkconfigurationkey RSA key container is the default key container for commands issued by the aspnet_regiis.exe tool. Therefore, the preceding command can be issued as follows:
Aspnet_regiis-pa "nt authority \ Network Service"
Code download
Note: I found this method has a defect.
Http://www.cnblogs.com/abeen/archive/2006/12/23/601210.html
After each encryption, restart the computer to find that the IIS Admin has an error and you have to reinstall IIS!
This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/JOHNCOOLS/articles/1464543.aspx
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
