Thursday, July 31, 2008

04 - Deploying Encrypted Web Configuration Files


Here we’ll cover the Encrytion of Configuration file.

The topic covered will be –

- Creating Encrypted Configuration Sections

- Encrypting Sections with the aspnet_regiis tool

- Encrypting Sections Programmatically

- Deploying Encrypted Web Configuration Files

Deploying Encrypted Web Configuration Files

·                If you need to copy an encrypted configuration file from one server to a new server, then you must copy the keys used to encrypt the configuration file to the new server. Otherwise, your application can't read encrypted sections of the configuration file on the new server.


o                      You can't copy an encrypted configuration file from one server to another when you are using the DpapiProtectedConfigurationProvider. This section assumes that you are using the RsaProtectedConfigurationProvider.
·                By default, the RsaProtectedConfigurationProvider uses a public/private key pair stored in a key container named NetFrameworkConfigurationKey. 
o                      This key container is located at the following path:
§                             \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
o                      This default key container does not support exporting both the public and private encryption keys
·                Now, If you want to deploy an application that contains an encrypted configuration file to a new server, then you must complete five configuration steps:
Create a new key container.
Configure your application to use the new key container.
Export the keys from the origin server.
Import the keys on the destination server.
Grant access to the key container to your ASP.NET application.
·                Step 1:
o                      aspnet_regiis -pc "SharedKeys" –exp
o                      This command creates a new key container named SharedKeys
o                      The -exp option is used to make any keys added to the container exportable.
·                Step 2:

<?xml version="1.0"?>











keyContainerName="SharedKeys" />





name="Movies" connectionString="Data Source=DataServer;Integrated Security=true; Initial Catalog=MyDB" />



·                Step 3:
o                      Export the keys contained in the SharedKeys key container to an XML file
o                      aspnet_regiis -px "SharedKeys" keys.xml -pri
§                             -pri option causes both the private and public keyand not only the public keyto be exported to the XML file.
·                Step 4:
o                      Copy the XML file to the destination server and Import the encryption keys.
o                      Execute the following command on the destination server:
§                             To create a new key container and 
§                             Import the encryption keys
§                             aspnet_regiis -pi "SharedKeys" keys.xml
·                Step 5:
o                      You can grant access to the SharedKeys key container to the ASPNET account by executing the following command:
§                             aspnet_regiis -pa "SharedKeys" "ASPNET"
o                      Executing this command modifies the ACLs for the SharedKeys key container so that the ASPNET account has access to the encryption keys.

After you complete this final step, you can transfer ASP.NET applications with encrypted configuration files back and forth between the two servers. An application on one server can read configuration files that were encrypted on the other server.


As an alternative to using the aspnet_regiis tool, you can transfer encryption keys with the help of the RsaProtectedConfigurationProvider class. The RsaProtectedConfigurationProvider class contains methods for exporting and importing keys to and from XML files programmatically.

Thanks & Regards,

Arun Manglick || Senior Tech Lead

No comments:

Post a Comment