DCSIMG
Encrypting and decrypting sensitive data in your web.config files using Protected configuration - Part II - Pini Dayan

Pini Dayan

The best thing about a boolean is even if you are wrong, you are only off by a bit.

Encrypting and decrypting sensitive data in your web.config files using Protected configuration - Part II

In the previous post I showed how to encrypt the sensitive data in my web.config using the ASP.NET protected configuration feature. Lets continue.

What are User level and Machine level key containers.

From msdn :"User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run under that specific user identity. User-level RSA key containers can be useful if you want to ensure that the RSA key information is removed when the Windows user profile is removed. However, because you must be logged in with the specific user account that will make use of the user-level RSA key container in order to encrypt or decrypt protected configuration sections, they are inconvenient to use.

Machine-level RSA key containers are available to all users that can log in to a computer, by default, and are the most useful as you can use them to encrypt or decrypt protected configuration sections while logged in with an administrator account. A machine-level RSA key container can be used to protect information for a single application, all the applications on a server, or a group of applications on a server that run under the same user identity. Although machine-level RSA key containers are available to all users, they can be secured with NTFS Access Control Lists (ACLs) so that only required users can access them."

"You identify an RSA key container as a user-level key container with the -pku option; otherwise, the RSA key container is considered a machine-level container."

OK, so we have created the key container and we need to export it to more machines

The next step i want to show is how to use this machine level key container to more machines. This scenario is good when you application is in a web farms and it needs to share the same keys for the encryption decryption process.

In order to export the container file we have created earlier we will use the command:

aspnet_regiis -px "MySampleKeys" keys.xml -pri . where -px is an option telling the tool to export the container keys by the name. In order to export the private key as well ( the one that decrypts the data) use the -pri option.

Now we need to import this file to the servers we wish sharing the same keys.

 

For summary, the steps we need to create, export and import on a different server:(I found in some blog)

1. Create a machine-level RSA key container on the encrypting machine.

Example : aspnet_regiis -pc "MySampleKeys"–exp


2. Define the attributes of an instance of the RSA protected configuration provider, that uses the RSA key container created in the previous step, in the web.config file.

Example: 

</configSections>  
<configProtectedData defaultProvider="SampleProvider">
  <providers>
    <add name="SampleProvider" 
      type="System.Configuration.RsaProtectedConfigurationProvider, 
            System.Configuration, Version=2.0.0.0, Culture=neutral, 
            PublicKeyToken=b03f5f7f11d50a3a,
           processorArchitecture=MSIL"
      keyContainerName="MySampleKeys" 
      useMachineContainer="true" />
  </providers>
</configProtectedData>


3. Encrypt the relevant web.config section(s) using the RSA protected configuration provider  instance defined in the previous step.

Example: aspnet_regiis -pe "connectionStrings" -app "/website1"

Dont forget to grant access to the process identity. (By the way the simplest way to know what is the process identity is to write to the scree the System.Security.Principal.WindowsIdentity.GetCurrent().Name).


4. Export both the public and private keys from the RSA key container created in step 1. The public key is used to encrypt configuration data and the private key is required to decrypt it.
5.On the decrypting machine or machines, import both the public and private keys, exported in the previous step, into an RSA key container with the same name as the container on the encrypting machine.

Example: aspnet_regiis -px "MySampleKeys" keys.xml -pri

The file looks like this:

<RSAKeyValue>
  <Modulus>mYZNaEAAp6PodWwYcj0te43FbX8F8LUb6e2RbI7aWquY/+C2LvdjRvTlHIUhv0wcy4Xm7IwUNWoa
  VsfJ+lKRgo3sPJ9pOtrP6xH+9PWbFl13dZP/GCFDo+9mpc5NaIFrrd+CHdz6BQs7sEzwPDn5o4IQlEFl+RrTQZUTWjh+8Cs=
  </Modulus>
  <Exponent>AQAB</Exponent>
  <P>zU0hsYyFHYZcxHzShRp1Pyb4gdkYVSVPscmX9ptbj9Knm4jc8Rq6fde1pzKb7zrq/319rb27zcsFhGzVg3KhLQ==</P>
  <Q>v2/rdGza/JJ6HlFZompiZpaAL5qD/L98DMshwM3aH9EF3gfIjXWD+/LGEdhSDMiFzVLPHI8vmkF40TDqMX49tw==</Q>
  <DP>wxhkR3xY15jiuVpBGHnvJ4daKtLqe6eMV1BS1+gFF+TAoF5sT7btuD7wAiZm5u1felF/yEaAnO0sng5qzJJ3NQ==</DP>
  <DQ>R+AfiSDtv3LHguaMPtyugVH0Yusirxy92JfT3m3rfZKfH1PQyrvaiBgIod6UP9Rx2DtFI7Xm64W1dOVmqJp7VQ==</DQ>
  <InverseQ>Hpn8yd0+v7MqgCaj7c1StKhEsDYaaFpolzL9/CmDbnUc09p5Ub9vf86quX9XKDR1a0RWa1caX1+AoZ1YJaPekQ==</InverseQ>
  <D>IjHEqfSfcLdUPlseMsunhr5z+8hwBUYBep/8ZQaIYeuYf12IlntpdFN1eF26v4XvX/FqFsO
  4eJEyXqPPO98KI4alANj2be3AmVFNd1xXng6D8WxwDtqIUHTHPON4Xk1VU6lhGCNHQgABC+npB
  /1LCc5PC9veC6wHE1PeGNU2Xmk=</D>
</RSAKeyValue>


6. Import the key container to the destination machine using the command: aspnet_regiis -pi "MySampleKeys" keys.xml.

On the decrypting machine or machines, grant read access to the newly create RSA key container to the Windows identity of the relevant web application. 

This is for Machine level key container. All that left to do is to add the new key to the machine config like in step  2.

Enjoy.

Posted: Dec 29 2008, 02:57 PM by Pini Dayan | with 1 comment(s)
תגים:,

Comments

יוסי said:

הללויה, סוף סוף משהו שהצליח להבין מה אני רוצה

תודה רבה!!!

# December 30, 2008 12:52 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: