Encrypting and decrypting sensitive data in your web.config files using Protected configuration - Part I
We can use the "Protected configuration" feature of the ASP.NET when we want to encrypt a sensitive data stored in our web.config file, such as username, passwords and of course our connection string. The advantage of securing our sensitive data is obvious: we are making it difficult for an attacker to gain access to this sensitive data even if he got access some how to our web.config file.
Here is a sample for a non encrypted data stored in this web.config file:
<configuration>
<connectionStrings>
<add name="MySqlServer" connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind111;" />
</connectionStrings>
</configuration>
When I will encrypt my data the same data only encrypted will look something like this:
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w
3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>RSA Key</KeyName> </KeyInfo> <CipherData> <CipherValue>RXO/zmmy3sR0iOJoF4ooxkFxwe
lVYpT0riwP2mYpR3FU+r6BPfvsqb384pohivk1237Dm4lPgR2bE9F7k6TblLVJFvnQu7p7d/yjnhzgHw
WKMqb0M0t0Y8DOwogkDDXFxs1UxIhtknc+2a7UGtGh6Di3N572qxdfmGfQc7ZbwNE= </CipherValue>
</CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>KMNKBuV9nOid8pUvdNLY5I8R7BaEGncjkwYgshW8ClKjrXSM7zeIRmAy/cTaniu8Rfk92KV
kEK83+UlQd+GQ6pycO3eM8DTM5kCyLcEiJa5XUAQv4KITBN
BN6fBXsWrGuEyUDWZYm6Eijl8DqRDb11i+StkBLlHPyyhbnCAsXdz5CaqVuG0obEy2x
mnGQ6G3Mzr74j4iffnyvRq7levA2sBR4lhE5M80Cd5
yKEJktcPWZYM99TmyO3KYjtmRW/Ws/XO3z9z1b1KohE5Ok/YX1YV0+Uk4/yuZo0
Bjk+rErG505YMfRVtxSJ4ee418ZMfp4vOaqzKr
SkHPie3zIR7SuVUeYPFZbcV65BKCUlT4EtPLgi8CHu8bMBQkdWxOnQEIBeY+TerAee/SiBCrA8M/n9
bpLlRjjjb+URiGLoaj+XHym//fmCclAcveKlba6vKrcbqhEjsnY2F
522yaTHcc1+wXUWqif7rSIPhc0+MT1hB1S
123AdmPgtZUyzcL51DoChy+hZ4vLzE= </CipherValue> </CipherData> </EncryptedData> </connectionStrings>
The nice thing is that when your code executes , the data will be decrypted and then can use the sensitive data (in this sample the connection string).
So how do we make this encryption magic to work? We use the good old aspnet_regiis.exe tool installed when we install the .NET Framework.
This utility is installed under the %SystemRoot%\Microsoft.NET\Framework\versionNumber folder and it include several options for encrypting portions of the web.config file, decrypting options, creating keys from the containers or adding new ones( i will explain about the keys later).In addition we may need to grant our running process the authorization to access these keys, this is also being done using this tool.
As in many of the ASP.NET features such as Membership, State management and much more , this feature also works in the Provider Model. (Plug and play provider code to use different data store for instance in case of membership)
More on the provider model :http://msdn2.microsoft.com/en-us/library/Aa479030.aspx
The base class of this provided feature is ProtectedConfigurationProvider which is new in .NET 2.0, The 2 provider we can use out of the box are:
I will later explain when to use which one, but for now remember that if your application is about to be in a web farm (on several computers) then you need to use the RsaProtectedConfigurationProvider that enables you to export and import the keys of the RSA algorithm used to encrypt your data from one machine to another.
A few words about the RSA and Asymmetric encryption:
When we wish to encrypt and decrypt data we can use 2 options:
1. The symmetric way which uses the same key for encrypting data and decrypting data.(The known algorithms for this way are: DES, RC2, TripleDes and of course Rijndael)
2. The Asymmetric way which uses 2 different keys , one for encryption and the other for decryption. These 2 keys are called the private key and the public key.The private key is kept secret, while the public key may be widely distributed.The knows RSA algorithm is an example of such a way.
For more details on that issue see:http://en.wikipedia.org/wiki/Symmetric_cipher and http://en.wikipedia.org/wiki/Public-key_cryptography
So , how do we specify which Provider we want to use:
We first need to add the provider we want to use to our we.config file, like this:
<configProtectedData>
<providers>
<add name="MyProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
keyContainerName="MySampleKeys"
useMachineContainer="true" />
</providers>
</configProtectedData>
The name of the provider provider, "MyProvider" will be uised later for the config section we want to encrypt. The ketcontainername is also very important,it is the name of the RSA key container used to encrypt or decrypt the contents of the Web.config file. In addition it is important to note that the running process must have read rights to read from this container.(I will show how to grant these rights later).
For more details on that issue see: http://msdn.microsoft.com/en-us/library/68ze1hb2(VS.80).aspx
OK, So we chose the provider we want, how do we actually encrypt the data:
This is the time to start using the aspnet_regiis.exe too.but first we need to create our key container that holds the keys for the RSA encryption decryption.
To create the key container ( when using the RsaProtectedConfigurationProvider provider), we will use the -pc option when using the aspnet_regiis.You must also specify the name of the container and tell the tool if you wish to export it later using the -exp option. Here is a sample on how to create this container:
aspnet_regiis -pc "MySampleKeys"–exp
Notice that the MySampleKeys name is the one in the keyContainerName. After you have created the key container, you need to grant access to the place where the container is at (These are ACLs) .So , if you are using ASP.NET you need to grant the process identity a read right.To grant this authorization you need to use the -pa option on the aspnet_regiis.
aspnet_regiis -pa "MySampleKeys" "NT AUTHORITY\NETWORK SERVICE".There is a difference between user level keys and machine level keys I will explain later.
For more information see http://msdn.microsoft.com/en-us/library/zhhddkxy(VS.80).aspx
OK, so we have created our key container and did not use the default one(we can do this as well , my guess is that this is exactly what the Entlib does).Now lets encrypt the config section we want to secure,For this purpose lets use the -pe option on the aspnet_regiis.
aspnet_regiis -pe "connectionStrings" -app "/website1" where website1 is the name of the application in the IIS.