Encrypt external stored application blocks with an exported key provider

Question

Encrypt external stored application blocks with an exported key provider

I have been trying for quite some time to figure out how to encrypt application blocks that are stored in an external file called dev_entlib.config

In enlib (4.1) I can see that it is possible to use the default security providers to encrypt blocks, but I really need to deploy this application to different servers and therefore I will need to export the keyProvider used to encrypt the blocks application for these servers.

What I have done so far is add the custom secure configuration provider to the machine.config file in .net v2.0 * to any folder (and all target servers).

custom provider looks like this

<add name="MyCompanyProvider" 
    type="System.Configuration.RsaProtectedConfigurationProvider, 
          System.Configuration, Version=2.0.0.0, Culture=neutral, 
          PublicKeyToken=b03f5f7f11d50a3a,
         processorArchitecture=MSIL"
    keyContainerName="MyKey" 
    useMachineContainer="true" />

which sits alongside other vendors by default and even has design time support in the Entlib configuration tool. Then I choose a security provider for each block that I want to encrypt.

Looking at dev_entlib.config shows that indeed the block was encrypted by my ISP. My provider is using my key container. So the block needs to be encrypted using my key container. Then I export "MyKey" to xml file using:

c:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -px "MyKey" "C:\keys.xml" -pri
Exporting RSA Keys to file...
Succeeded!

This key file is then copied to my sysTest server where it is imported and has the permissions granted by "NT Authority \ Network Services" and "ASPNET"

Then I copy my encrypted web.config and dev_entlib.config and try to display the connection strings in a small page that uses the .net ConfigurationManager to get a collection of ConnectionStrings and display them on the page. This page runs under IIS and the process identity is NT Service / Network Services.

The problem is, it doesn't work! There are bad data errors or "could not be decrypted by MyCompanyProvider".

This approach seems logical to me, but it still fails.

Does anyone have any other suggestions?

0

encryption enterprise-library aspnet-regiis.exe

nialljsmith Dec 19. '08 at 11:46

source to share

2 answers

This is not possible yet. My solution is to just encrypt the blocks as part of the web.config and then copy and paste those blocks into the external entLib.config file. This block must then be decrypted on the target servers using the exported key.

0

nialljsmith Jan 29. 09 at 12:03

source to share

E. Sambo · Accepted Answer · 2011-11-09T00:22:58+0000

Encrypt external enterprise library configuration files using a custom RSA key container using the enterprise library configuration tool.

EntLib (4.1) uses the default protection provider RsaProtectedConfigurationProvider. But you can delete this provider in your config file and replace it with your own name with the same name, which can then point to your custom key provider: "MyKey".
You must add this configProtectedData section in the config file that has the scope you want to encrypt (for example your external file: * dev_entlib.config *). You don't need to modify the machine.config file at all.
You can then select the RsaProtectedConfigurationProvider from the Enterprise Library Configuration application for the AccessProvider data protection unit.
You need to open this EntLibConfig.exe with "Run as administrator" privileges if you are in Vista, Windows 7, Windows 2008.
- Otherwise, you will receive an error:
  - Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Object already exists.
Then you can copy this encrypted * dev_entlib.config * along with the web.config config file to your sysTest server. Open the web.config file with the enterprise library configuration tool on this server sysTest so that you don't receive the error message:
- Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Bad Data.

web.config

This file is pretty empty and just points to an external data config file:

<!-- web.config -->
<configuration>
  <configSections>
    <section name="enterpriseLibrary.ConfigurationSource" type="Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ConfigurationSourceSection, Microsoft.Practices.EnterpriseLibrary.Common, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <enterpriseLibrary.ConfigurationSource selectedSource="External Data Configuration File Source">
    <sources>
      <add name="External Data Configuration File Source" type="Microsoft.Practices.EnterpriseLibrary.Common.Configuration.FileConfigurationSource, Microsoft.Practices.EnterpriseLibrary.Common, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
        filePath="dev_entlib.config" />
    </sources>
  </enterpriseLibrary.ConfigurationSource>
</configuration>

dev_entlib.config

This file has connection strings and a security provider with which it should be encrypted:

<!-- dev_entlib.config -->
<configuration>
    <configSections>
        <section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
 </configSections>
    <dataConfiguration defaultDatabase="MyConnectionStringName" />
 <connectionStrings>
  <add name="cnHnicMediaLibrary" connectionString="Server=MyDbServer; Database=MyDbName; Integrated Security=SSPI"
   providerName="System.Data.SqlClient" />
 </connectionStrings>
  <configProtectedData>
    <providers>
      <remove name="RsaProtectedConfigurationProvider" />
      <add    name="RsaProtectedConfigurationProvider"
        keyContainerName="MyKey"
        useMachineContainer="true"
        description="Uses our own encryption key container so that it will work in a Web Farm setting. We need to trick Enterprise Library, which wants to use the default RsaCryptoServiceProvider to encrypt and decrypt, by replacing this default provider with our own while this configuration is processed!"
        type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
  </configProtectedData>
</configuration>

Based:

http://entlib.codeplex.com/discussions/237555 (AvanadeSupport, Dec 8, 2010 at 11:37 am)
http://entlib.codeplex.com/discussions/10300 (shane2007, July 9, 2007 at 13:15)
http://entlib.codeplex.com/discussions/213998 (need to change version to 2.0.0.0)

I hope this describes the error message you had and how to fix it.

Encrypt external stored application blocks with an exported key provider

Encrypt external enterprise library configuration files using a custom RSA key container using the enterprise library configuration tool.

web.config

dev_entlib.config

Based:

More articles: