I know I can do this to encrypt connection strings in a web site that is already deployed:
aspnet_regiis -pe connectionStrings
I can also encrypt connection strings in a web site before it is deployed by doing this:
aspnet_regiis -pef connectionStrings .\WebApplication1
I also know how to make my own RSA key, install it on several computers, and set up an encryption provider for that key, so I can encrypt it on one machine and publish it on another:
aspnet_regiis -pef connectionStrings .\WebApplication1 -prov MyProvider
I can even tell MSBuild to encrypt the connection strings for me during deployment by adding a line to the .pubxml file (https://msdn.microsoft.com/en-us/library/ee942158%28v=vs.110%29.aspx#encrypt_webconfig).
But what I really need to do is this:
create the web site source code and save it in source control with the connection strings decrypted;
build the web site, transforming the web.config file with web.debug.config or web.release.config;
encrypt the connection strings in the transformed web.config using my custom encryption provider;
and then publish it
all from an automated process. Note: I can't encrypt the connection strings first and then build the web site, because I have to transform the web.config file before encrypting it. I don't want to publish the web site first and then encrypt the connection strings, because I don't want the decrypted connection strings to be on the web server even for a brief time. I want to encrypt the connection strings during the deploy process, but with my own encryption provider. How can I do that? It's got to be possible. Any combination of msbuild commands, msdeploy commands, and .pubxml file settings would be acceptable.
I've tried searching for how to do this -- I really have -- but I can't find a comprehensive reference for msbuild.exe / msdeploy.exe / *.pubxml ANYWHERE. (That's a separate question.)
Related
I ran the following command to encrypt credentials in web.config on my dev machine and tested the code and worked fine, however I published to the web server and it would fail as apparently the encryption is specific to the machine.
I then tried to run the same command on the unencrypted web.config on my web server and it completed successfully, however the same symptoms are still present within the website, where it cannot find the credentials. What am I doing wrong? What is the proper process encrypting a web.config section and then publishing to another machine?
aspnet_regiis.exe -pef "secureAppSettings" "C:\Users\project" -prov "DataProtectionConfigurationProvider"
I am new to web development. We are having a legacy intranet web application using ASP.NET web forms.
We have encrypted web.config using ASPNET_REGIIS tool for the connection strings, based on security feedback. I am able to test it locally using IISExpress.
What are the steps to follow to update the old web.config with new web.config, in an environment.
We need to update web.config in multiple environments(DEV,TEST, UAT) before refreshing in production.
We will be announcing downtime for the same. Please list down the steps like resetting IIS etc.
Since the key used for encrypt/decrypt is different on different server. You can decrypt the connection string section before publishing. Then just override the web.config on your target server, then encrypt the connection string with asp_regiis tool again. You can find aspnet_regiis under the root folder of .NET framework.
Of course, there is a way to sync up RSA container for mutiple servers.
https://learn.microsoft.com/en-us/previous-versions/aspnet/yxw286t2(v=vs.100)
After that, please don't forget to grant permission for machinekey file in \Microsoft\Crypto\RSA\MachineKeys.
Finally you just have to recyle the application pool.
I had to do below steps:
First and Foremost: Took a backup of existing web.config, so that, if something goes wrong, I can fallback to original web.config
As web.config encryption is machine specific, I encrypted the web.config using ASPNET_REGIIS tool, as mentioned in the codeproject Link
Web.config changes are automatically picked by IIS. I did not have to restart IIS or recycle APPPool. The site was working fine with the new web.config changes, I made.
I have a batch script step that runs at the end of my web deploy the script encrypts a connection string in web.config using aspnet_regiis.exe, In the logs it looks like it went fine but it doesnt acctually encrypt the connectionString, when i run the batch locally on my remote machine it works. Is there a way to do through Release definition or the user has to run the batch locally every time?
here is the code.
start C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/" -site "2"
echo Encryption Successfull!
pause
First suggest you using your build service account RDP to the remote machine and run the batch script. Double check if you are missing any permission for the account.
Since , the logs it looks like it went fine but it doesn't actually encrypt the connectionString. Also try to do some test below to perform it:
Have you compared the transformed web.config file that is deployed to
server to the original encrypted config file? Test with both files on
server.
Try unencrypting the config file on server and see if you get the
correct connection strings back.
I want to encrypt the information in loggingConfiguration section in web.config using enterprise library configuration tool to work on one server or on web farm
I used many ways but it didn't work.
I tried to encrypt the connection string and it worked fine.
Did you read this:
You can encrypt and decrypt the data in a configuration file's
configuration sections. A configuration section contains the
configuration information for an application block.
The configuration
tool allows you to select from the encryption providers that are
included in the Machine.config file. Typically, these are the
DataProtectionConfigurationProvider, which uses DPAPI, and the
RsaProtectedConfigurationProvider, which uses RSA.
If the encrypted
configuration file is going to be on only a single server, you can use
the DataProtectionConfigurationProvider.
If you want to deploy the
same encrypted configuration file on multiple servers in a Web farm,
you should use the RsaProtectedConfigurationProvider. This provider
makes it easy for you encrypt the data on one server computer and then
export the RSA private key needed to decrypt the data. You can then
deploy the configuration file and the exported key to the target
servers, and then re-import the keys.
To encrypt a configuration
section Open one of the configuration tools. Open an existing
configuration file or create a new one. Click the name of the
application block whose configuration information you want to encrypt.
In the Properties pane, click ProtectionProvider. Select either
DataProtectionConfigurationProvider or
RsaProtectedConfigurationProvider.
All the settings for the providers,
such as where keys are stored, are also in the Machine.config file.
You cannot change this file with a configuration tool. Instead, you
must modify the file using a text editor. To decrypt a configuration
file, simply open it in the configuration tool. The file is
automatically decrypted.
I have an MVC2 .NET 4.0 app, hosted on TFS 2008 (soon to be TFS 2010) that uses connection strings in web.config to connect to a database on another server. I need to encrypt these connection strings.
As I understand it, I can use aspnet_regiis.exe to encrypt the connectionstring portion of the web.config file, but I have to do it on the deployment machine because the encryption uses the machine name to generate the encryption key.
Now, it seems to me that this represents a problem - every time I deploy my code to the dev server won't it overwrite the web.config file, and need to be re-encrypted? This sort of manual process seems kludgy.
Is my understanding about needing to re-encrypt after deployment correct?
If so, is there some way to automate this process? I don't want to forget this or get a new team member who doesn't know the process and have the connectionstring exposed to the world.
web.config files aren't typically part of a deployment (though Visual Studio 2010 supports configuration file transforms in web application deployment projects). I wouldn't expect that you should be overwriting the web.config when you deploy (because the web.config is where you would place those things that are specific to that machine/environment.
So, encrypt it once, and then don't overwrite it, would be my advice.
Since that isn't available in your situation, it is possible to specify a key when encrypting, so that you can share the encrypted file between machines. By default, the command to encrypt uses the DPAPI to encrypt the section (which is tied to the machine) but you can also use RSA for encryption. More info is available on MSDN in Specifying a Protected Configuration Provider.