Let's talk about how to encrypt/decrypt sensitive data in web. config/app. config.

Source: Internet
Author: User
Tags connectionstrings

Please indicate from "Yang Guo under the bodhi tree"-http://www.cnblogs.com/yjmyzz/archive/2008/08/22/1274395.html

 

I. Use code for encryption and decryption

 

Using System. Web. Configuration;


// Encrypt the specified section in web. Config
Private void ProtectSection (string sectionName)
{
Configuration config = WebConfigurationManager. OpenWebConfiguration (Request. ApplicationPath );
ConfigurationSection section = config. GetSection (sectionName );
If (section! = Null &&! Section. SectionInformation. IsProtected)
{
Section. SectionInformation. ProtectSection ("DataProtectionConfigurationProvider ");
Config. Save ();
}
}

// Decrypt the specified section in web. Config
Private void UnProtectSection (string sectionName)
{
Configuration config = WebConfigurationManager. OpenWebConfiguration (Request. ApplicationPath );
ConfigurationSection section = config. GetSection (sectionName );
If (section! = Null & section. SectionInformation. IsProtected)
{
Section. SectionInformation. UnprotectSection ();
Config. Save ();
}
}

Example: // Encrypted connection string
Protected void btnEncrypt_Click (object sender, EventArgs e)
{
ProtectSection ("connectionStrings ");
}

Changes:

Before encryption:
<ConnectionStrings>
<Add name = "connStr" connectionString = "Data Source = server; Initial Catalog = Lib; User ID = sa; password = ***"
ProviderName = "System. Data. SqlClient"/>
</ConnectionStrings>

After encryption:
<ConnectionStrings configProtectionProvider = "DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>

<CipherValue> AQAAANCMnd8BFdERjHoAwE/Cl + sbaaayzatjjjo 0km/queues/0tpmh7ywaaqaa85nfh133

Authorization/nT + UvpRp154TNnm04LP/iq1indxepw2teviiooexarx8fly00r

Authorization/S87co63ioWie8QDVgGuaTEaSyklC9STyvRsLU6A/qxalchy4vorjzno/27 vGoin + c3AJ587wMKJyJBiV08DyzoGM7elAlg8yTAeHv

Vmloefctuwsc116f2rwhi3fzyuyykczysfhxlexdbj + YRiBxYWP6xzffIdyWzrawxaIfnPq/quit

OcSfbD2LXX4YP506vHDXw </CipherValue>
</CipherData>
</EncryptedData>
</ConnectionStrings>

Note:
After encryption, you can still read the data according to the previous operations.
<ConnectionStrings configProtectionProvider = "DataProtectionConfigurationProvider">
The method used for decryption has been specified here, And asp.net will automatically process it

 

Ii. Use the aspnet_regiis.exe tool for encryption and decryption

Steps:
1. First generate the RSA container locally (For more information about RSA, see http://msdn.microsoft.com/zh-cn/library/yxw286t2 (VS.80). aspx)
Aspnet_regiis.exe-pc "JimmyKeys"-exp
Note: JimmyKeys is the container name, which can be changed as needed.

2. Export RSA to an xml file.
Aspnet_regiis.exe-px "JimmyKeys" c: \ JimmyKeys. xml"

3. Add a section in web. config, which is generally placed before <ettings>, as shown below:

<ConfigProtectedData>
<Providers>
<Add name = "JimmyRSAProvider"
Type = "System. Configuration. RsaProtectedConfigurationProvider, System. Configuration, Version = 2.0.0.0, Culture = neutral, PublicKeyToken = b03f5f7f11d50a3a"
KeyContainerName = "JimmyKeys"
UseMachineContainer = "true"/>

</Providers>
</ConfigProtectedData>

<Deleetask>
...

4. encrypt web. config
Aspnet_regiis.exe-Arg "etettings" c: \ website "-prov" JimmyRSAProvider"

Decryption:
Aspnet_regiis.exe-pdf "appSettings" "c: \ website"

5. Deploy to a remote server (one or more servers)
A. Upload the website file and JimmyKeys. xml (that is, the exported RSA container file) to the server and import the RSA
Aspnet_regiis.exe-pi "JimmyKeys" c: \ JimmyKeys. xml"

B. Check the default account used for aspx logon on the server.
Response. Write (System. Security. Principal. WindowsIdentity. GetCurrent (). Name );
Just create An aspx and paste the previous line of code into it. The IIS5 environment outputs ASPNET and the IIS6 environment outputs network service, I have never tried IIS7 and I don't know what the output is.

C. Grant the RSA window read permission to the default account in B.
Aspnet_regiis.exe-pa "JimmyKeys" "network service"

By the way, sort the commands for these operations into several batches.

1. Local bat (create an RSA container, export the container, and encrypt web. config)
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-pz "JimmyKeys"
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-pc "JimmyKeys"-exp
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-px "JimmyKeys" "c: \ JimmyKeys. xml"
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-Arg "etettings" "c: \ website"-prov "JimmyRSAProvider"

2. Remote Server bat (import RSA container, authorize)
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-pi "JimmyKeys" "c: \ JimmyKeys. xml"
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-pa "JimmyKeys" "network service"

 

Before encryption:
<ConnectionStrings>
<Add name = "connStr" connectionString = "Data Source = server; Initial Catalog = Lib; User ID = sa; password = ***"
ProviderName = "System. Data. SqlClient"/>
</ConnectionStrings>

After encryption:
<ConnectionStrings configProtectionProvider = "JimmyRSAProvider">
<EncryptedData Type = "http://www.w3.org/2001/04/xmlenc#Element"
Xmlns = "http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns = "http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns = "http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns = "http://www.w3.org/2000/09/xmldsig#">
<KeyName> Rsa Key </KeyName>
</KeyInfo>
<CipherData>

<CipherValue> encrypt/decrypt

/VOIU7KTyFjk = </CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>

<CipherValue> c4HD + EfJl // outputs/AwXy/3JECuNEd8YGOO + RDhxw8NySd8vUc53 + iUiHW5TLs/secure + MAmhkiHQ46p

H2VyjyprNsl8LE2pGNjDOJnDeGYq + wkn2iw968 + signature + eCWE2IqCP + s58eQRjU3MxJ2BqeUU9HaKy4 = </CipherValue>
</CipherData>
</EncryptedData>
</ConnectionStrings>

Similarly, after encryption in this way, aspx does not need to be decrypted and the Code does not need to be modified.

Note: not all nodes can be encrypted. ASP. NET 2.0 only supports encryption for some configuration sections of Web. config. Data in the following configuration sections cannot be encrypted:
• <ProcessModel>
• <Runtime>
• <Mscorlib>
• <Startup>
• <System. runtime. remoting>
• <ConfigProtectedData>
• <Satelliteassemblies>
• <CryptographySettings>
• <CryptoNameMapping>
• <CryptoClasses>

In addition to the deleettings and ConnectionStrings nodes, you can write as follows:
Aspnet_regiis.exe-Arg "system. serviceModel/behaviors" "d: \ website \ cntvs \"

That is, for <system. <behaviors> node encryption under serviceModel>. This node is also suitable for code encryption. After several attempts, it seems that other nodes except deleettings and ConnectionStrings can only support second-level nodes.

As follows:
Aspnet_regiis.exe-Arg "system. serviceModel/behaviors/endpointBehaviors" "d: \ website \ cntvs"
An error is reported during running:

The configuration section "system. serviceModel/behaviors/endpointBehaviors" is not found ".

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.