by Anton
19. April 2014 19:18
We wanted to encrypt our passwords which we store in the web.config of our Webapplication. Most of the WorldWideweb pointed to the use of aspnet_regiis.exe: http://msdn.microsoft.com/en-us/library/53tyfkaw(v=vs.100).aspx We want to use the encrypted web.config on a few machines, so we need to import the decryption keys on those machines.
I pretty much used the walkthrough provided by Microsoft.
- Ceate a custom RSA key container: aspnet_regiis -pc "CampingInfo" –exp
- Grant the application access to the keys: aspnet_regiis -pa "CampingInfo" "NT AUTHORITY\NETWORK SERVICE". The ASP.NET identity can be found via creating and calling a page “Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);”
- Add a configuration provider to the web.config:
-
<configuration>
<configProtectedData>
<providers>
<add name="CampingInfoProvider"
type="System.Configuration.RsaProtectedConfigurationProvider"
keyContainerName="CampingInfo"
useMachineContainer="true" />
</providers>
</configProtectedData>
...
</configuration>
- Put the to be encrypted settings in a custom section in the web.config:
<configuration>
<configSections>
<section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler" />
</configSections>
<secureAppSettings>
<add key="somepassword" value="xyz" />
</secureAppSettings>
...
</configuration>
- Encrypt the custom section: aspnet_regiis -pef "secureAppSettings" "C:\<path to dirctory where web.config resides>" -prov "CampingInfo"
- Export the RSA key container: aspnet_regiis -px "CampingInfo" "c:\keys.xml" -pri
- Copy the xml file to a second server which runs the same application (with the same, now partially encrypted web.config).
- Import the RSA key container on the second server: aspnet_regiis -pi "CampingInfo" "c:\keys.xml"
- Grant the application on the second server access to the keys as in 2. (Identity may be different.)