In asp.net2.0, there is a new function to encrypt some data in web.config. You can use RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider to encrypt. This article explains the steps of using RSAProtectedConfigurationProvidert and computer-level key container for encryption.
1. First determine whether the configuration section in web.config to be encrypted can be encrypted
2. Create an RSA key container
3. Identify the key container to be used in web.config
4. Encrypt web.config
5. Grant Access permissions to the RSA key container
Step 1: First determine whether the configuration section in web.config to be encrypted can be encrypted
ASP.NET 2.0 supports encryption of some configuration sections of Web.config. The data in the following configuration sections cannot be encrypted:
<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
Step 2: Create an RSA key container. To create an RSA key container, please use the ASP.NET IIS registration tool (Aspnet_regiis.exe) and the –pc switch. You must give the key container a name that identifies the key container used by the RsaProtectedConfigurationProvider specified in the configProtectedData section of the application's Web.config file. To ensure that the newly created RSA key container can be exported, the -exp option must be included.
For example, the following command creates an RSA key container named ABeenKeys, which is an exportable machine-level key container.
aspnet_regiis -pc "ABeenKeys"–exp
Step 3: Modify web.config to identify the key container
Edit the Web.config file to identify the key container to be used.
Add <configProtectedData> to web.config to configure the key container. For a machine-level RSA key container named ABeenKeys, add the xmlns attribute to <configuration>.
<configuration xmlns=" http://schemas.microsoft.com/.NetConfiguration/v2.0 ">saProtectedConfigurationProvider using a machine-level RSA key container named ABeenKeys.
<configProtectedData > <providers> <add name="ABeenProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,Culture=neutral, processorArchitecture=MSIL" keyContainerName="ABeenKeys"/> </providers > </configProtectedData>
Step 4: Encrypt the <connectionStrings> section of your web.config file
Encrypt the configuration section in your web.config file
> aspnet_regiis -pe "connectionStrings" -app "/connectionTest"
Step 5: Granting access to the RSA key container can be determined by the following code to which user permissions should be given
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
By default, RSA key containers are tightly protected by the NTFS access control list (ACL) on the server where they are located. This increases the security of encrypted information by limiting who has access to encryption keys. Before ASP.NET can use the RSA key container, the ASP.NET application's process identity must be granted read access to the RSA key container. You can use the Aspnet_regiis.exe tool with the -pa switch to grant the identity of an ASP.NET application read permission to the RSA key container. For example, the following command grants the Windows Server 2003 NETWORK SERVICE account read access to a machine-level RSA key container named ABeenKeys:
aspnet_regiis -pa "ABeenKeys" "NT AUTHORITYNETWORK SERVICE"
Notice:
If the RSA key container is a user-level container, you must be logged in as the user whose Windows profile has the key stored, and you must include the -pku option to grant access to the user-level RSA key container.
To use the default RsaProtectedConfigurationProvider specified in the computer configuration, you must first grant the application's Windows identity access to the computer key container named NetFrameworkConfigurationKey, which is the key container specified for the default provider. For example, the following command grants the NETWORK SERVICE account access to the RSA key container used by the default RsaProtectedConfigurationProvider.
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITYNETWORK SERVICE"
The NetFrameworkConfigurationKey RSA key container is the default key container for commands issued by the Aspnet_regiis.exe tool. Therefore the above command can also be issued as follows:
aspnet_regiis -pa "NT AUTHORITYNETWORK SERVICE"
code download