Web Config ConnectionString Encryptor v0.9 Release Note

Since ASP.NET 2.0, web.cofig adds connectionStrings section to store database connection string and provides encryption function to secure the sensitive information (like database account and password).  For example:

<connectionStrings>
<add name="PlaygroundConnectionString" connectionString="Data Source=(local);Initial Catalog=Playground;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>

Will be encrypted as:

<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
  xmlns="http://www.w3.org/2001/04/xmlenc#">
  <EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
  <KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
   <EncryptedKey xmlns="
http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
    <KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
     <KeyName>Rsa Key</KeyName>
    </KeyInfo>
    <CipherData>
<CipherValue>a44a3giX...(Ignored)...o+VMsXS8os=</CipherValue>
    </CipherData>
   </EncryptedKey>
  </KeyInfo>
  <CipherData>
<CipherValue>TX5qKv+s...(Ignored)...3YgrV5wcA==</CipherValue>
  </CipherData>
</EncryptedData>
</connectionStrings>

The RSA encryption can protect the sensitive information from cracking, even when web.config is stolen.  You can find more information about web.config encryption from MSDN:

But the only way to encrypt and decrypt web.config is to use aspnet_regiis.exe command line utility, it means you have to know the arguments and type them manually, not very convenient.  For example, when I want to encrypt a web.config and deploy it to 3 web farm servers, here is what I have to do:

  1. Use aspnet_regiis -pc "SharedKeys"–exp to create a shared RSA key container.
  2. Use aspnet_regiis -px "SharedKeys" keys.xml -pri to export the RSA key container to a XML file.
  3. Copy keys.xml to 3 web farm servers.
  4. Execute aspnet_regiis -pi "SharedKeys" keys.xml to import RSA key container on 3 web farm servers.
  5. Execute aspnet_regiis -pa "SharedKeys" "NT AUTHORITY\NETWORK SERVICE" to grant access permission to ASP.NET web application. (Note: IIS 7.5 uses IIS APPPOOL\YourAppPoolName as identity, please replace NT AUTHORITY\NETWORK SERVICE to appropriate account. [reference])
  6. In web.config, add:
    <configProtectedData>
    <providers>
      <add keyContainerName="SharedKeys" useMachineContainer="true"
       name="SharedKeys" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
    </configProtectedData>
  7. Use aspnet_regiis -pe "connectionStrings" -app "/WebApplication" -prov "SharedKeys" to encrypt connectionStrings section.
  8. Copy encrypted web.config to 3 web farm servers.

I always think there should be a more convenient tools to finish these complex steps and cover the utility arguments detail, so I wrote the tool -- Web Config ConnectionString Encryptor!

It's a handy tool to provide GUI to cover the operations that aspnet_regiis.exe used to do, including web.config encyption and decryption and RSA key containers management.

The UI is straight forward ( I hope so ;P ), you can choose the web application from the dropdownlist, and then the web.config will show in the viewer, the [Edit] button can startup Notepad to edit the web.config.  If the web.config connectionStrings section is not encrypted, you can click [Encrypt] to encrypt it;  if it's encrypted, the [Encrypt] button will becomes [Decrypt], you can decrypt it by one click, too.

The RSA Key Container Management UI can be used to create, delete, export and import key containers.

The tool provides English and Traditional-Chinese (Taiwan) multi-language support so far.

Here are operation samples for some typical scenarios:

  1. For single web server (using default key container)
    a) Choose web application from drowdownlist
    b) Click [Encrypt] button
  2. For single web server (using specific key container)
    a) Choose web application from drowdownlist
    b) Input key container name
    c) Click [Encrypt] button
    (If the key container doesn't exist, a new key container will be created automatically.  But the auto-created key container is not exportable so it can't be used for web farm severs, please ref the next case for web farm scenarios.  When using specific key container, a RsaProtectedConfigurationProvider named as the key container name will be appended in the web.config <configProtectedData><providers> node.)
    d) Use [Manage Key Container] function
    e) Input key container name and click [Grant] button
  3. Sharing encrypted web.config among web farm servers
    a) Use [Manage Key Container] function
    b) Input key container name, click [Create] button
    c) Click [Grant] button
    c) Click [Export] and save as XML file
    d) Copy the XML file to web farm servers, run Web Config ConnectionString Encryptor on those servers, use [Manage Key Container], input key container name, click [Import] then [Grant].  Remember to delete the XML file from the server for security issue.
    e) Choose web application from drowdownlist
    f) Input key container name
    g) Click [Encrypt] button
    h) Cop the encrypted web.config to web farm servers.

Although I think this tool is simple and safe, however, use it at your own risk and remember to backup your web.config to be on the safe side.  Any feedback is welcome.

CodePlex: Web Config ConnectionString Encryptor

歡迎推文分享:
Published 29 August 2010 04:59 PM 由 Jeffrey
Filed under: ,
Views: 7,660



意見

# Mulder said on 30 August, 2010 12:36 AM

You're truely awesome I have to say

# Mulder said on 30 August, 2010 12:41 AM

btw, in the last line, "use it at your own task" (should it be "risk"?)

# Jeffrey said on 30 August, 2010 01:45 AM

to Mulder, I'm glad that you like it.  Yes, you are right, it should be "risk" and I just corrected it.  It seems that clumsy English and numerous typos have become my features. :-S

你的看法呢?

(必要的) 
(必要的) 
(選擇性的)
(必要的) 
(提醒: 因快取機制,您的留言幾分鐘後才會顯示在網站,請耐心稍候)

5 + 3 =

搜尋

Go

<August 2010>
SunMonTueWedThuFriSat
25262728293031
1234567
891011121314
15161718192021
22232425262728
2930311234
 
RSS
創用 CC 授權條款
【廣告】
twMVC
最新回應

Tags 分類檢視
關於作者

一個醉心技術又酷愛分享的Coding魔人,十年的IT職場生涯,寫過系統、管過專案, 也帶過團隊,最後還是無怨無悔地選擇了技術鑽研這條路,近年來則以做一個"有為的中年人"自許。

文章典藏
其他功能

這個部落格


Syndication