-----------------------------------------------------------
New Message on MumbaiUserGroup
-----------------------------------------------------------
From: Swapnil_B1
Message 1 in Discussion
Using Configuration API - Encryption
Encrypting an entire section of a configuration file is straightforward with
the 2.0 configuration API. There are several configuration areas where
sensitive information may appear, for instance, the <connectionStrings> section
may contain database usernames and passwords, the <identity> section will
contain a username and password when you need the runtime to impersonate a
fixed identity. You may even keep a password for a third party web service in
appSettings or a custom section. Whenever secrets like these appear, consider
encrypting the section instead of leaving the secrets and passwords in plain
text.
Note: there are sections that may contain passwords that you cannot encrypt,
namely the <processModel> section. You can still use the Aspnet_setreg.exe tool
to store a password for this section securely.
The following section of code shows how easy it is to protect (encrypt) and
unprotect (decrypt) an entire configuration section. (Note: you do not need to
unprotect a section in order to read configuration settings from the section.
The runtime will read the encrypted data and perform the decryption necessary
for your application to read the plain text values. The Unprotect method call
is here to demonstrate how to return a section to unencrypted form).
protected void toggleEncryptionButton_Click(object sender, EventArgs e
{ Configuration config;
config = WebConfigurationManager.OpenWebConfiguration("~");
ConnectionStringsSection section;
section = config.GetSection("connectionStrings")
as ConnectionStringsSection;
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
}
else
{
section.SectionInformation.ProtectSection(
"DataProtectionConfigurationProvider"
);
}
config.Save();
WriteMessage("connections protected = " +
section.SectionInformation.IsProtected);
}
If we were to examine our web.config file after toggling encryption to on, wed
notice the configuration API has added some additional information:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0";>
<protectedData>
<protectedDataSections>
<add name="connectionStrings"
provider="DataProtectionConfigurationProvider"
inheritedByChildren="false" />
</protectedDataSections>
</protectedData>
<appSettings configSource="appSettings.config"/>
<connectionStrings configSource="connections.config"/>
<system.web>
<compilation debug="true" />
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
</configuration>
In addition, wed find our connectionStrings.config file would contain a
cipherValue instead of plaintext connection strings. (Note: we do not need to
use an external configuration source to take advantage of encryption, the
configuration API would have happily encrypted the connection strings section
if it lived inside of web.config).
<connectionStrings>
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BF....</CipherValue> </CipherData><o:p></o:p>
</EncryptedData>
</connectionStrings>
At runtime, the configuration API will decrypt sections on the fly. We can
still use WebConfigurationManager.ConnectionStrings to return connection
strings usable by our application.
To understand what we are seeing in the configuration file, we first need to
realize that the runtime turns to a configuration encryption provider for
encryption and decryption work. The two providers shipping in .NET 2.0 are the
DataProtectionConfigurationProvider and the RSAProtectedConfigurationProvider
(you can also implement your own protected configuration provider if need be).
We can specify the provider we want to use in the string passed to the
ProtectSection method, as seen in the earlier source code snippet. In our
example we are using the DataProtectionConfigurationProvider.
The DataProtectionConfigurationProvider uses the Windows Data Protection API
(DPAPI) underneath the covers. This provider a machine-specific secret key for
encryption and decryption work. Because the DataProtectionConfigurationProvider
relies on a machine-specific key, you can only decrypt cipher text that was
encrypted on the same machine.
If you need to move configuration files with encrypted sections from machine to
machine, youll need the RSAProtectedConfigurationProvider. The
RSAProtectedConfigurationProvider, as the name would imply, uses RSA public key
encryption.
You can work with the RSAProtectedConfigurationProvider from the command line
tool aspnet_regiis, which includes options to create a keypair (-pc), export a
keypair (-px), import a keypair (-pi), grant access to a keypair (-pa), remove
access (-pr), and more. Command line arguments also allow you to specify which
encryption provider to use.
Swapnil (Swaps)
http://swapsnet.spaces.live.com/
-----------------------------------------------------------
To stop getting this e-mail, or change how often it arrives, go to your E-mail
Settings.
http://groups.msn.com/MumbaiUserGroup/_emailsettings.msnw
Need help? If you've forgotten your password, please go to Passport Member
Services.
http://groups.msn.com/_passportredir.msnw?ppmprop=help
For other questions or feedback, go to our Contact Us page.
http://groups.msn.com/contact
If you do not want to receive future e-mail from this MSN group, or if you
received this message by mistake, please click the "Remove" link below. On the
pre-addressed e-mail message that opens, simply click "Send". Your e-mail
address will be deleted from this group's mailing list.
mailto:[EMAIL PROTECTED]
