Monday, June 11, 2007

Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

RSAProtectedConfigurationProvider uses the RSA public key encryption to encrypt and decrypt data.It supports machine-level and user-level key containers for key storage. Machine-level key containers are available to all users, but a user-level key container is available to that user only.

Use RSA machine key containers if application runs on its own dedicated server with no other applications or you want multiple app use same key. It stores in the following folder:

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Use a user-level key container if you run your application in a shared hosting environment and you want to make sure that your application's sensitive data is not accessible to other applications on the server. It stores in the following folder:

\Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA


By default RSAProtectedConfigurationProvider is configured to use the machine-level key container.

Following command is used to encrypt configuration section in web.config file with RSA:
aspnet_regiis -pe "section name" -app "/application name"

section name - appSettings, connectionStrings, identity, sessionState etc.

Like - aspnet_regiis -pe "connectionStrings" -app "/MyWebApplication"

If you are using asp.net web server then give physical path of web app and use -pef option like -

aspnet_regiis -pef "connectionStrings" -app "c:\MyWebApplication"

To grant access to the ASP.NET application identity use following command:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET"

If you are not sure which identity to use, check the identity from a Web page by using the following code:

using System.Security.Principal;
...
protected void Page_Load(object sender, EventArgs e)
{
Response.Write(WindowsIdentity.GetCurrent().Name);
}


Decrypt configuration section in web.config file with RSA using following command:
aspnet_regiis -pd "section name" -app "/application name"

If you are using asp.net web server then give physical path of web app and use -pdf option like -

aspnet_regiis -pdf "connectionStrings" -app "c:\MyWebApplication"


Following sections can not be encrypted :

processmodel
runtime
mscorlib
startup
system.runtime.remoting
configprotecteddata
satelliteassemblies
cryptographysettings
cryptonamemapping
cryptoclasses>

Reference:

http://msdn2.microsoft.com/En-US/library/ms998283.aspx
http://www.c-sharpcorner.com/Blogs/BlogDetail.aspx?BlogId=229

1 comment:

Anonymous said...

Thanks Sanjay. I used apsnet_regiis to encrypt my web.config but iis wasn't able to decrypt until I allowed read-access to the MachineKeys directory.