tags:

views:

254

answers:

1
Q: 

Encrypting externally stored App blocks with exportable Key Provider

Hi all,

I have been trying for quite a while to figure out how to encrypt Application blocks that are stored in an external file called dev_entlib.config

I can see in entlib (4.1) that it's possible to use the default protection providers to encrypt the blocks but, I really need to deploy this Application on different servers and thus I would need to export the keyProvider used to encrypt the application blocks to those servers.

What I've done so far is to add a custom Protected Configuration Provider to the machine.config file in the .net v2.0* whatever folder (and all the target servers)

the custom provider is like this

<add name="MyCompanyProvider" 
    type="System.Configuration.RsaProtectedConfigurationProvider, 
          System.Configuration, Version=2.0.0.0, Culture=neutral, 
          PublicKeyToken=b03f5f7f11d50a3a,
         processorArchitecture=MSIL"
    keyContainerName="MyKey" 
    useMachineContainer="true" />

that sits nicely beside the other default providers and even has design time support in the Entlib config tool. I then choose the protection provider for each block I want to encrypt.

Looking at the dev_entlib.config, shows that indeed the block was encrypted with my provider. My provider uses my key container. Therefore the block should be encrypted using my key container. I then Export "MyKey" to an xml file using:

c:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -px "MyKey" "C:\keys.xml" -pri
Exporting RSA Keys to file...
Succeeded!

This key file is then copied to my sysTest server where it is imported and has access rights granted to "NT Authority\Network Services" and "ASPNET"

I then copy over my encrypted web.config and dev_entlib.config and try to display the connection strings in a small page which uses .net ConfigurationManager to get the ConnectionStrings collection and display them on the page. This page is running under IIS and the identity of the process is "NT Authority\Network Services".

The problem is, that it doesn't work! There are bad data errors or "failed to decrypt using provider MyCompanyProvider".

This approach seems to make logical sense to me but it still fails.

Does anyone have another suggestions?

A: 

It doesn't seem to be possible yet. My solution is to just encrypt the blocks as part of the web.config and then copy and paste those blocks into an external entLib.config file. These block should then be able to be decrypted on the target servers with the exported key.

nialljsmith  2009-01-29 12:03:50

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords