I see that can use ASP_regiis to encrypt sections of the web.config file, but I am running mono on a box using Apache. Are there ways to do this in Mono/Linux?
+1
A:
Unless I am mistaken, IIS will not serve up the Web.Config file. If you are worried about people pulling it down from the web, I am sure you can block this file from served by Apache.
If you are talking about local security, I don't think there is a "good" way to do this. Say you have a password in your Web.Config the only way to properly encrypt this is to require another password to decrypt the file. So in essence, since (I assume) you need to access the file programmaticly, your just moving where you store your passwords around, from the Web.Config to the source code or to another external file, which really doesn't gain you anything. All other methods of encryption that don't require a password to decrypt just obscure the file, but are pretty susceptible to being un-obscured.
Read this article on Pidgin (formerly gaim) storing passwords locally http://developer.pidgin.im/wiki/PlainTextPasswords. In addition this wikipedia article on encryption keys could be useful. Both discusse the inherent limitations of security through obscurity.
Essentially if you lock down the file locally, use user account based security to do so, i.e. limit read/write access to the file.
James McMahon
2009-03-12 15:36:28
I would rather confidential data to be encrypted instead of in clear text in the config file.
CSharpAtl
2009-03-12 16:17:49
Right, but what I am saying is that your not really encrypting it unless you have to manually enter a password every time your application is run.
James McMahon
2009-03-12 19:25:09
I am not encrypting it for the web user, I dont want someone on the box to see/manipulate data I have in the file.
CSharpAtl
2009-03-12 21:12:27
I think I am not communicating my point very well. I've edited my question and added some more links that will hopefully help you grok what I am saying about key based encryption.
James McMahon
2009-03-14 18:35:48
A:
You can do this programatically using the System.Configuration.ConfigurationManager to get a ConfigurationSection object and call SectionInformation.ProtecteSection("DataProtectionConfigurationProvider") on it
/// <summary>
/// Encrypts a Config section from the given Configuration object
/// </summary>
/// <param name="sectionKey">Path to the section to Encrypt</param>
/// <param name="config">Configuration</param>
public static void EncryptConfigSection(String sectionKey, Configuration config)
{
ConfigurationSection section = config.GetSection(sectionKey);
if (section != null)
{
if (!section.SectionInformation.IsProtected)
{
if (!section.ElementInformation.IsLocked)
{
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
}
}
}
}
For Web Configuration you'll need to use System.Web.Configuration.WebConfigurationManager to get the Configuration object that you can then pass to the above function. Note that for web.config files only certain sections are encryptable.
Also be aware that if the settings are stored in the AppSettings then anyone can write a simple app which when run on your server could retrieve the Plain Text values of the settings provided they know the names of your settings.
Check out the following article by Jon Galloway on alternatives to simply encrypting the AppSettings section: http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
RobV
2009-05-15 09:49:27