Let's talk about how to encrypt/decrypt sensitive data in web. config/app. config.

Please indicate from "Yang Guo under the bodhi tree"-http://www.cnblogs.com/yjmyzz/archive/2008/08/22/1274395.html

 

I. Use code for encryption and decryption

 

Using System. Web. Configuration;


// Encrypt the specified section in web. Config
Private void ProtectSection (string sectionName)
{
Configuration config = WebConfigurationManager. OpenWebConfiguration (Request. ApplicationPath );
ConfigurationSection section = config. GetSection (sectionName );
If (section! = Null &&! Section. SectionInformation. IsProtected)
{
Section. SectionInformation. ProtectSection ("DataProtectionConfigurationProvider ");
Config. Save ();
}
}

// Decrypt the specified section in web. Config
Private void UnProtectSection (string sectionName)
{
Configuration config = WebConfigurationManager. OpenWebConfiguration (Request. ApplicationPath );
ConfigurationSection section = config. GetSection (sectionName );
If (section! = Null & section. SectionInformation. IsProtected)
{
Section. SectionInformation. UnprotectSection ();
Config. Save ();
}
}

Example: // Encrypted connection string
Protected void btnEncrypt_Click (object sender, EventArgs e)
{
ProtectSection ("connectionStrings ");
}

Changes:

Before encryption:
<ConnectionStrings>
<Add name = "connStr" connectionString = "Data Source = server; Initial Catalog = Lib; User ID = sa; password = ***"
ProviderName = "System. Data. SqlClient"/>
</ConnectionStrings>

After encryption:
<ConnectionStrings configProtectionProvider = "DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>

<CipherValue> AQAAANCMnd8BFdERjHoAwE/Cl + sbaaayzatjjjo 0km/queues/0tpmh7ywaaqaa85nfh133

Authorization/nT + UvpRp154TNnm04LP/iq1indxepw2teviiooexarx8fly00r

Authorization/S87co63ioWie8QDVgGuaTEaSyklC9STyvRsLU6A/qxalchy4vorjzno/27 vGoin + c3AJ587wMKJyJBiV08DyzoGM7elAlg8yTAeHv

Vmloefctuwsc116f2rwhi3fzyuyykczysfhxlexdbj + YRiBxYWP6xzffIdyWzrawxaIfnPq/quit

OcSfbD2LXX4YP506vHDXw </CipherValue>
</CipherData>
</EncryptedData>
</ConnectionStrings>

Note:
After encryption, you can still read the data according to the previous operations.
<ConnectionStrings configProtectionProvider = "DataProtectionConfigurationProvider">
The method used for decryption has been specified here, And asp.net will automatically process it

 

Ii. Use the aspnet_regiis.exe tool for encryption and decryption

Steps:
1. First generate the RSA container locally (For more information about RSA, see http://msdn.microsoft.com/zh-cn/library/yxw286t2 (VS.80). aspx)
Aspnet_regiis.exe-pc "JimmyKeys"-exp
Note: JimmyKeys is the container name, which can be changed as needed.

2. Export RSA to an xml file.
Aspnet_regiis.exe-px "JimmyKeys" c: \ JimmyKeys. xml"

3. Add a section in web. config, which is generally placed before <ettings>, as shown below:

<ConfigProtectedData>
<Providers>
<Add name = "JimmyRSAProvider"
Type = "System. Configuration. RsaProtectedConfigurationProvider, System. Configuration, Version = 2.0.0.0, Culture = neutral, PublicKeyToken = b03f5f7f11d50a3a"
KeyContainerName = "JimmyKeys"
UseMachineContainer = "true"/>

</Providers>
</ConfigProtectedData>

<Deleetask>
...

4. encrypt web. config
Aspnet_regiis.exe-Arg "etettings" c: \ website "-prov" JimmyRSAProvider"

Decryption:
Aspnet_regiis.exe-pdf "appSettings" "c: \ website"

5. Deploy to a remote server (one or more servers)
A. Upload the website file and JimmyKeys. xml (that is, the exported RSA container file) to the server and import the RSA
Aspnet_regiis.exe-pi "JimmyKeys" c: \ JimmyKeys. xml"

B. Check the default account used for aspx logon on the server.
Response. Write (System. Security. Principal. WindowsIdentity. GetCurrent (). Name );
Just create An aspx and paste the previous line of code into it. The IIS5 environment outputs ASPNET and the IIS6 environment outputs network service, I have never tried IIS7 and I don't know what the output is.

C. Grant the RSA window read permission to the default account in B.
Aspnet_regiis.exe-pa "JimmyKeys" "network service"

By the way, sort the commands for these operations into several batches.

1. Local bat (create an RSA container, export the container, and encrypt web. config)
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-pz "JimmyKeys"
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-pc "JimmyKeys"-exp
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-px "JimmyKeys" "c: \ JimmyKeys. xml"
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-Arg "etettings" "c: \ website"-prov "JimmyRSAProvider"

2. Remote Server bat (import RSA container, authorize)
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-pi "JimmyKeys" "c: \ JimmyKeys. xml"
% Windir % \ Microsoft. NET \ Framework \ v2.0.50727 \ aspnet_regiis.exe-pa "JimmyKeys" "network service"

 

Before encryption:
<ConnectionStrings>
<Add name = "connStr" connectionString = "Data Source = server; Initial Catalog = Lib; User ID = sa; password = ***"
ProviderName = "System. Data. SqlClient"/>
</ConnectionStrings>

After encryption:
<ConnectionStrings configProtectionProvider = "JimmyRSAProvider">
<EncryptedData Type = "http://www.w3.org/2001/04/xmlenc#Element"
Xmlns = "http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns = "http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns = "http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns = "http://www.w3.org/2000/09/xmldsig#">
<KeyName> Rsa Key </KeyName>
</KeyInfo>
<CipherData>

<CipherValue> encrypt/decrypt

/VOIU7KTyFjk = </CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>

<CipherValue> c4HD + EfJl // outputs/AwXy/3JECuNEd8YGOO + RDhxw8NySd8vUc53 + iUiHW5TLs/secure + MAmhkiHQ46p

H2VyjyprNsl8LE2pGNjDOJnDeGYq + wkn2iw968 + signature + eCWE2IqCP + s58eQRjU3MxJ2BqeUU9HaKy4 = </CipherValue>
</CipherData>
</EncryptedData>
</ConnectionStrings>

Similarly, after encryption in this way, aspx does not need to be decrypted and the Code does not need to be modified.

Note: not all nodes can be encrypted. ASP. NET 2.0 only supports encryption for some configuration sections of Web. config. Data in the following configuration sections cannot be encrypted:
• <ProcessModel>
• <Runtime>
• <Mscorlib>
• <Startup>
• <System. runtime. remoting>
• <ConfigProtectedData>
• <Satelliteassemblies>
• <CryptographySettings>
• <CryptoNameMapping>
• <CryptoClasses>

In addition to the deleettings and ConnectionStrings nodes, you can write as follows:
Aspnet_regiis.exe-Arg "system. serviceModel/behaviors" "d: \ website \ cntvs \"

That is, for <system. <behaviors> node encryption under serviceModel>. This node is also suitable for code encryption. After several attempts, it seems that other nodes except deleettings and ConnectionStrings can only support second-level nodes.

As follows:
Aspnet_regiis.exe-Arg "system. serviceModel/behaviors/endpointBehaviors" "d: \ website \ cntvs"
An error is reported during running:

The configuration section "system. serviceModel/behaviors/endpointBehaviors" is not found ".