views:

254

answers:

1

Hi all,

I have been trying for quite a while to figure out how to encrypt Application blocks that are stored in an external file called dev_entlib.config

I can see in entlib (4.1) that it's possible to use the default protection providers to encrypt the blocks but, I really need to deploy this Application on different servers and thus I would need to export the keyProvider used to encrypt the application blocks to those servers.

What I've done so far is to add a custom Protected Configuration Provider to the machine.config file in the .net v2.0* whatever folder (and all the target servers)

the custom provider is like this

<add name="MyCompanyProvider" 
    type="System.Configuration.RsaProtectedConfigurationProvider, 
          System.Configuration, Version=2.0.0.0, Culture=neutral, 
          PublicKeyToken=b03f5f7f11d50a3a,
         processorArchitecture=MSIL"
    keyContainerName="MyKey" 
    useMachineContainer="true" />

that sits nicely beside the other default providers and even has design time support in the Entlib config tool. I then choose the protection provider for each block I want to encrypt.

Looking at the dev_entlib.config, shows that indeed the block was encrypted with my provider. My provider uses my key container. Therefore the block should be encrypted using my key container. I then Export "MyKey" to an xml file using:

c:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -px "MyKey" "C:\keys.xml" -pri
Exporting RSA Keys to file...
Succeeded!

This key file is then copied to my sysTest server where it is imported and has access rights granted to "NT Authority\Network Services" and "ASPNET"

I then copy over my encrypted web.config and dev_entlib.config and try to display the connection strings in a small page which uses .net ConfigurationManager to get the ConnectionStrings collection and display them on the page. This page is running under IIS and the identity of the process is "NT Authority\Network Services".

The problem is, that it doesn't work! There are bad data errors or "failed to decrypt using provider MyCompanyProvider".

This approach seems to make logical sense to me but it still fails.

Does anyone have another suggestions?

A: 

It doesn't seem to be possible yet. My solution is to just encrypt the blocks as part of the web.config and then copy and paste those blocks into an external entLib.config file. These block should then be able to be decrypted on the target servers with the exported key.

nialljsmith