Clever Geek Handbook

ASP.NET secure configuration - how to encrypt with public key only?

When using an ASP.NET protected configuration, how can I encrypt the configuration with only the public key?

I can export a public key file. I would like to use this public key to encrypt configuration files on another server for later deployment. However, I cannot figure out how to get the aspnet_regiis to use the public public key.

Basically, I tried to import only the public key into the container and then encrypt it. However, when I do this, instead of using the existing key for encryption, it creates a completely new key pair, overwriting the existing public key. In the script below, if you rename each of the copied files back to connection.config and try to decrypt them, the first (connectionstring_server.encrypted) will fail, and the second (connectionstring_build.encrypted) will succeed) proving that a new key pair has been created.

Here is a batch file demonstrating the approach I've tried (edit: this is just an example to test the capabilities of aspnet_regiis. My actual use of this will obviously be slightly different):

REM delete container in case it already exists
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pz "MyKeys"

REM create container
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pc "MyKeys"

REM export key
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -px "MyKeys" "publicKey.xml"

REM encrypt file
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef "connectionStrings" . -prov "MyProvider"

REM copy encrypted file for later comparison
copy connections.config connectionstring_server.encrypted
pause

REM decrypt file
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pdf "connectionStrings" .

REM delete continer
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pz "MyKeys"

REM import public key
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pi "MyKeys" publicKey.xml

REM encrypt file with just public key - THIS DOES NOT WORK CORRECTLY, it creates a new keypair
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef "connectionStrings" . -prov "MyProvider"

REM copy back encrypted file
copy connections.config connectionstring_build.encrypted
pause

REM decrypt file
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pdf "connectionStrings" .

And here is a sample web.config

<?xml version="1.0"?>
<configuration>
    <configProtectedData>
        <providers>
            <add name="MyProvider" keyContainerName="MyKeys" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL" useMachineContainer="true" />
        </providers>
    </configProtectedData>
  <connectionStrings configSource="connections.config" />
</configuration>

And the corresponding connection.config:

<connectionStrings>
  <add name="SomConnectionName" connectionString="Data Source=somedatasource; Initial Catalog=somedatabase; Integrated Security=SSPI; Persist Security Info=False;" providerName="System.Data.SqlClient" />
</connectionStrings>

Edit: Answer suggested below, I could export the private key as well. This would actually allow encryption to work, but I don't need a secret key for encryption. I want to leave the private key only on the server that will use the config file and keep the public key somewhere more accessible. Is the inability to do this just an aspnet_regiis limitation?

+1


source to share


2 answers


I think your problem is with the export command, when you export you need to supply the -pri argument to tell aspnet_regiis that you want to export the private key as well as the public key.

REM export key
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -px "MyKeys" "publicKey.xml" -pri


Without the private key, your import still generates its own key pair. It could be a Microsoft bug, aspnet_regiis should at least warn you that it was unable to import your incomplete key and that it created a new one instead ...

Exporting only the public key can be helpful, you could give your operations or the development team an xml file and they can encrypt the config file before it's deployed to the server, without having to divulge the private key. In addition, this way you will not need to run the encryption process on every server in your farm.

+1


source


I don't know if it was a bug or not, but I definitely ran into this problem. Public and private keys must be imported into the Windows Keystore for any of the .net functionality to work. However, the private key can be protected if you did not specify the -exp switch when importing the key.



0


source






More articles:


All Articles