tags:

views:

182

answers:

1
Q: 

Web.config encryption/decryption

In my applications we.config file I have a connection string stored. I encrypted it using 

  '---open the web.config file
    Dim config As Configuration = _
       ConfigurationManager.OpenWebConfiguration( _
       Request.ApplicationPath)
    '---indicate the section to protect
    Dim section As ConfigurationSection = _
       config.Sections("connectionStrings")
    '---specify the protection provider
    section.SectionInformation.ProtectSection(protectionProvider)
    '---Apple the protection and update
    config.Save()

Now I can decrypt it using the code 

   Dim config As Configuration = _
       ConfigurationManager.OpenWebConfiguration( _
       Request.ApplicationPath)
    Dim section As ConfigurationSection = _
       config.Sections("connectionStrings")
    section.SectionInformation.UnProtectSection()
    config.Save()

I want to know where is the key stored.
Also If somehow my web.config file is stolen, will it be possible for him/her to decrypt it using thhe code above.

+1  A: 

The user keys are stored in:

[Letter]:\Documents and Settings\[User]\Application Data\Microsoft\Crypto\RSA

Machine keys are in:

[Letter]:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

If someone has the file and the keys then yes, they'll be able to decrypt. If only the file, no they won't be able to.

Also, if they decrypt using the same code on the same server, then yes. However, if they reach your server, it's all over anyways.

EDIT to add into the answer from comments:

  • Q: If I copy the key and paste it in some other PC along with the web.config, will it be decrypted?

  • A: If i'm not mistaken, the key will only work on that machine unless you do an import/export. However, as I say, if someone has gained access do this, you will be "dead in the water" already, as the compromised server will be devastating.

  • Q: I created one more web application and encrypted it.I see that no new key is created there.Did it use the same key for the 2nd application?

  • A: As far as I know, yes. The keys are generated per machine, per user to my knowledge.
Kyle Rozendo  2010-03-16 10:27:56
Kyle, If I copy the key (the fodler in \CRYPTO\RSA) and paste it in some other PC along with the web.config, will it be decrypted ?
Akshay  2010-03-16 11:26:45
If i'm not mistaken, the key will only work on that machine unless you do an import/export. However, as I say, if someone has gained access do this, you will be "dead in the water" already, as the compromised server will be devastating.
Kyle Rozendo  2010-03-16 11:46:52
Please let me ask one more question, what I did was, delete the contents of the folder Crypto\RSA and then encrypt the web.config.But nothing is added to that folder. I was expecting a key to be generated there.What must have happened ?
Akshay  2010-03-16 11:53:57
Which folder did you check? The first or second?
Kyle Rozendo  2010-03-16 11:59:02
"C:\Documents and Settings\NEWUSER\Application Data\Microsoft\Crypto\RSA"-This folder is empty. But I see it created in "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys".....My mistake I didnt see the "All Users" folder.It's getting created there. :)
Akshay  2010-03-16 12:09:42
One more thing.I created one more web application and encrypted it.I see that no new key is created there.Did it use the same key for the 2nd application ?
Akshay  2010-03-16 12:14:03
As far as I know, yes. The keys are generated per machine, per user to my knowledge.
Kyle Rozendo  2010-03-16 12:24:40
I came to know that we have 2 options.First-Machine key which is for all users and User Level Key which is the key for individual users.Thanks Kyle !
Akshay  2010-03-18 11:23:45

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?