I am using the following command to use a machine key to encrypt part of my web.config (it is actually an app.config for a .net app, renamed to web.config so the aspnet_regiis will work with it):
aspnet_regiis -pef "section-to-encrypt" "C:\inetpub\path-to-web.config\bin\Release" -prov "provider-name"
Before running this, I add the section < configProtectedData>, which seems to be required (to hook "provider-name" to machine crypto, it appears).
Problem: After running the above command, the < configSections> is removed from the .config file, damaging it.
What am I doing wrong?
I had a similar issue which I just resolved. If I insert the configProtectedData. section before the configSections section it was wiping out configSections. If I added it after the configSections section it does not.
I'm encrypting a regular web.config file but I don't believe that difference matters.
Related
I am using TFS 2017 Realese definition to deploy my website, My password and username enviromental variables are hidden but when the connection string is passed Web.config file shows the password and the username how can encrypt the Connection sctring in web.config file?
You can run this command in a command prompt(cmd.exe):
%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/SampleApplication"
Where SampleApplication is the name of your application in IIS
See this article for more information.
Update
To encrypt the Connection string in web.config file, TFS build task could not do this. It's more related to IIS. Suggest you take a look at this blog: Encrypting connectionStrings in Web.Config using the NetFrameworkConfigurationKey in an IIS Web Farm scenario
You could try to replace the specific value in the web.config through Replace Token task during release in VSTS. Sample screenshot:
For this configuration of Replace Token task, it can replace #{con}#
to the con variable value (Create a variable (variable name: con) in
Variable tab of build definition) for all .config files (have #{con}#
code) in $(System.DefaultWorkingDirectory) location.
<connectionStrings>
<add name="DefaultConnection" connectionString="#{con}#" providerName="System.Data.SqlClient" />
</connectionStrings>
I got it working using #Arman answer but had to modify it a bit, i had to specify the site number by default its 1 which is a different website check this link on how to find your website number. link
%%windir%%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/" -site "2"
In my case the site was number 2. Also you have to run the command prompt as Administrator.
Thanks for all your answers.
You have to browse aspnet_regiis and then executing the command with pef and pdf commands along with section name and the path of the webconfig file.
Is there a way I can run the Qt application as an administrator? I have an auto-updater for my application. It needs administrator privileges to replace the files in Program Files folder and hence it requires administrator privileges.
Running your application with administrator privileges does not have a whole lot to do with Qt. There are two approaches.
The "simple" one is to manually set your application to run with administrator privileges. You can do so by right-clicking on the executable. Then on the "Compatibilty" tab, you can choose to "Run this application as an administrator" under "Privilege level".
However, if you automatically want to achieve the same, you will have to embed a manifest into your application. What you're looking for is to set the requestedExecutionLevel to requireAdministrator. A bit more information can be found on MSDN or in this Wikipedia entry on UAC.
For your application as built in Qt Creator, it means you will need to embed the manifest by including a reference to it in a Resource (.rc) file. This resource file can then be added to your .pro file by specifying RC_FILE = myapp.rc. An informative blog post on this very issue is this one, as well as this post on the QtCentre forum.
A very simple solution for this, if you're using MSVC toolkit, is to add the following into the project file:
QMAKE_LFLAGS_WINDOWS += "/MANIFESTUAC:\"level='requireAdministrator' uiAccess='false'\""
I am using Qt 5.12 msvc2017.
I've found this to be quite neat, as from what I see in generated Makefile, Qt is already adding some manifest related link flags, and this approach wouldn't interfere with already embedding manifest, as manually adding manifest from existing file.
Other manifest link options can be easily added. You can read the docs for VS compiler, and/or you can check what flags/options Visual Studio IDE has to offer in Project properties/Linker/Manifest File and then check Command Line section of the Linker to see how it adds them.
Not sure how would this be done in gcc or clang builds, it would probably require solutions provided by #H Aßdøµ, and #Bart.
From the article that referred to Mr #Bart:
Application Manifest
First, we have to prepare an application manifest file. This one below is for application that does not require administrator rights:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="2.0.2.0" processorArchitecture="X86" type="win32"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Second, we need the MT.exe tool from the Microsoft Windows SDK to embed this XML in our executable. To do it use the following command:
mt.exe –manifest MyApp.exe.manifest -outputresource:MyApp.exe;1
Automatic Manifest Embedding
Manually executing the mt command after each compilation is a tedious task. What about convincing qmake to do it for us? After studying the docs it looks like the following line should do the trick:
win32 {
WINSDK_DIR = C:/Program Files (x86)/Microsoft SDKs/Windows/v7.0A
WIN_PWD = $$replace(PWD, /, \\)
OUT_PWD_WIN = $$replace(OUT_PWD, /, \\)
QMAKE_POST_LINK = "$$WINSDK_DIR/bin/x64/mt.exe -manifest $$quote($$WIN_PWD\\$$basename(TARGET).manifest) -outputresource:$$quote($$OUT_PWD_WIN\\${DESTDIR_TARGET};1)"
}
The above code will automatically execute the mt.exe program from WINSDK_DIR and embed a manifest file that is located in the project root directory and named after project's target (ie. MyApp.manifest). That's all to adding a manifest, now let's move on and specify the version information.
Orginal post: http://blog.strixcode.com/2010/08/embedding-application-manifest-and.html
We are using a custom config section (via the NameValueConfigSection) to contain our settings.
These settings are externalised from web.config via configSource.
So, entries in web.config look something like this:
<configSections>
<section name="customSettings" type="System.Configuration.NameValueSectionHandler" />
</configSections>
<customSettings configSource="config\customSettings.config" />
We want to encrypt this "customSettings.config" file on our production server, so run this command, as recommended by Microsoft (here: http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx)
aspnet_regiis -pe customSettings -site 4 -app /
And this produces the following output:
Encrypting configuration section...
Succeeded!
However, it does not succeed at all, leaving the file exactly as it was
(incidentally, this command does work if encrypting a non-custom section, such as an externalised connectionStrings section)
I have been able to write a little console app that does work ok, but we really want to use the standard tools to do what should be a standard operation - can anyone tell me if this is a limitation or where I am going wrong?
Thanks :)
I'm comparing your code with this:
To encrypt the connectionStrings section with the DPAPI provider with the machine key store (the default configuration), run this command from a command prompt:
aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"
where:
-pe specifies the configuration section to encrypt.
-app specifies the web app's virtual path. If the app is nested, specify the nested path from the root directory, for example "/test/aspnet/MachineDPAPI"
-prov specifies the provider name.
I wonder if you need to provide the app name? And/or the provider?
And their version encloses the attribute values in quotes.
I am just trying to test this.
And here is my command line:
aspnet_regiis.exe -pdf "connectionStrings" c:\web.config
And this is the error I got.
Error – "The configuration for physical path ‘C:\Web.Config’ cannot be opened.
And the permissions of that file is not read only.
Can anyone please suggest.
This is a very old post but I was searching for it myself today and found that if you omit the file name it will pickup Web.config in the directory you specify:
aspnet_regiis -pdf "connectionStrings" c:\temp
If you add a trailing \ or the full name c:\temp\Web.config it will still fail.
Also, the c:\ may have been an administrator privilege issue reading and writing to the root.
Cheers
You should keep web.config in a folder close the application code. The root folder (c:) is an admin-only folder and shouldn't be used for anything!
I know that ppl have already asked questions regarding encrypting web.config.
im also trying to encrypt my test config file, but im getting this error.
aspnet_regiis -pef "connectionStrings" "C:\encryptedWeb.config"
Encrypting configuration section...
The configuration for physical path 'C:\EncryptedWeb.config' cannot be opened.
Failed!
I just want to know, what could be reasons that it failed.
I got the answer, it was the readonly property of the web.config which was the problem.
After I removed the readonly It worked like a charm.
for the command "aspnet_regiis -pef" the path of configuration file is the physical path (Not virtual) and also it is the path of directory/folder where web.config resides. So one should not include the name of file in path e.g.
if your web.config path is at D:\MyConfiguration\web.config then while encrypting/decrypting you will use it as follow:
encrypt:
aspnet_regiis -pef [sectionName] "D:\MyConfiguration"
decrypt:
aspnet_regiis -pdf [sectionName] "D:\MyConfiguration"
I know this is old, but I've just had the same issue and none of the other answers got the problem.
You're not supposed to put the filename in the path, and the file MUST be called web.config. So for your example, if your web.config file is actually in C:\ you would put:
aspnet_regiis -pef "connectionStrings" "C:\"
and your file MUST be called web.config as the tool will only look for that file.
For those people whose file isn't in C:\ you'll need to put the full path to the file (root of the site). You'll also need to cd into the directory containing the aspnet_regiis.exe file or put the full file path for the tool as well:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pef "ConnectionStrings" "C:\Ghron\Projects\Company\trunk\project1\project1"
Also, some of the other answers are valid points - the parameters are case sensitive, so your paths and section names must be in the right case. I wasted about 20 minutes using "ConnectionStrings" instead of "connectionStrings" (lower case c).
The Sections are CASE SENSITIVE.
Do not Add \ at the end of the path (no web.config needed).
You don't need to do it straight on a site; instead, copy the file to any location.
Encrypting:
aspnet_regiis -pef "SECTIONTOENTRYPT" "d:\tempEnCrypt" -prov WhateverProviderYouAreUsing
Decrypting:
aspnet_regiis -pdf "SECTIONTOENTRYPT" "d:\tempEncrypt"
You can use this to encrypt an app.config as well, just rename the file for the encryption/decryption as web.config
Encrypt/Decrypt web.config
source is taken from this link https://mywebanecdotes.com/2016/09/17/encrypting-credentials-in-app-config-for-multiple-machines/
Firstly, if you have App.config, you need to rename to Web.config. And when done rename it back. This is because aspnet_regiis.exe recognize only Web.config file.
Then create a custom attribute SecuredSettings(any name is fine) either in you App.config or Web.config file.
<configuration>
<configSections>
<section name="SecuredSettings" type="System.Configuration.NameValueSectionHandler" />
</configSections>
<SecuredSettings>
<add key="pwrd" value="password" />
</SecuredSettings>
<configProtectedData>
<providers>
<add keyContainerName="MyCustomKeys"
useMachineContainer="true"
name="MyEncryptionProvider"
type="System.Configuration.RsaProtectedConfigurationProvider"/>
</providers>
</configProtectedData>
</configuration>
In C# you can retrieve these values as you would do it normally. eg:
var attr = ConfigurationManager.GetSection("SecuredSettings") as NameValueCollection;
var value = attr["pwrd"];
The rest is ecrypting or decrypting
Run cmd As Administrator , and locate to C:\Windows\Microsoft.NET\Framework\v4.0.30319
"Create a public/private RSA key pair with a specfic container name. They should also be marked as exportable (otherwise what is the point!)"
aspnet_regiis.exe -pc MyCustomKeys -exp
"Grant permissions for accounts to access the container"
aspnet_regiis.exe -pa MyCustomKeys "NT AUTHORITY\NETWORK SERVICE"
"The following line will now encrypt your section (the pwdr value). The -pef switch is telling the application to look for a web.config file and to use provider that is declared in the beginning (which is using type RsaProtectedConfigurationProvider)"
aspnet_regiis.exe -pef "SecuredSettings" "C:\DEV\ConsoleApp\DEX" -prov MyEncryptionProvider
Export those Keys to another machine (if needed)
aspnet_regiis.exe -px MyCustomKeys keys.xml -pri it will generate keys.xml file in C:\Windows\Microsoft.NET\Framework\v4.0.30319
copy this file and put it in another machine where you would like to use it, to the same location C:\Windows\Microsoft.NET\Framework\v4.0.30319, and run:
aspnet_regiis -pi MyCustomKeys keys.xml
after you can delete the file from both sides.
Don't forget to rename Web.config to App.config, if you did so at the beginning.
TO Decrypt the file:
aspnet_regiis.exe -pdf "SecuredSettings" "C:\DEV\ConsoleApp\DEX"
I was experiencing the same problem and here's what worked for me:
add the aspnet_regiis tool's folder path to your %PATH% variable. This ensures that the tool is accessable from any folder in your command line. See this page for a brief explanation of how to add %PATH% variables: http://geekswithblogs.net/renso/archive/2009/10/21/how-to-set-the-windows-path-in-windows-7.aspx
navigate to your web root folder (don't know if this is necessary but that's where I was navigated when I executed the command)
execute the command with the -pe argument and the -app argument like such:
aspnet_regiis -pe {section to encrypt} -app "{path from root folder to app, like: "/myappname", use quotes}
Take a look at this , see if you set it up correctly
http://msdn.microsoft.com/en-us/library/ms998283.aspx
A possibiliity is to specify the site with
-site "SiteName"
otherwise it will use the default web site.
You could try and use this tool to encrypt you web config
I am having same issue while encrypting configuration file from a web site.
Provide command to encrypt from a site and not default website.
Below command works when application is in defaultwebsite:
aspnet_regiis.exe -pe "connectionStrings" -app "/sitename" -prov "DataProtectionConfigurationProvider"
I got an "illegal characters in path" error that went away when I removed the double quotes that surrounded my path name. Doesn't make any sense, but there you are.
I also wrote a PowerShell script to do the encrypt/decrypt without dealing with aspnet_regiis : https://github.com/mhenry1384/EncryptDecryptConfig
Don't forget to run CMD as administrator, as I did today, if your servers make use of that feature. Quite a simple mistake to make.