We are developing an application with .NET and we are connecting to an SQL 2008 db on a windows server. Up until now we have been a small team which meant that the following code was acceptable:
<add key="ConnectionString" value="Server=00.000.000.00;uid=myUsername;pwd=myPassword;Database=myDatabase" />
This is then called when I want to connect to the database.
Our team is expanding and the new developers should not have access to the database credentials. They will have access to the application code and they have to connect to the database which is on a non-local server whilst running in debug mode locally.
What is the best (and fastest) solution to allow them to connect to the database without having credentials which will allow them to open the database and view the tables?
The quickest and easiest solution would be to encrypt the ConnectionString in your config file. It's pretty simply to do as well.
Open CMD change the directory to the .NET Framework version (your prefered version) directory by typing the following command:
cd \WINDOWS\Microsoft.Net\Framework\yourversion
At the command prompt, run aspnet_regiis.exe with the following options:
The -pe option and the string "connectionStrings" to encrypt the connectionStrings element of the Web.config file for your application.
The -app option and the name of your application.
For example, the following command encrypts the section of the Web.config file for an application named MyApplication.
aspnet_regiis -pe "connectionStrings" -app "/MyApplication"
The encrypted connectionString will look something like
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>RSA Key
</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>WcFEbDX8VyLfAsVK8g6hZVAG1674ZFc1kWH0BoazgOwdBfinhcAmQmnIn0oHtZ5tO2EXGl+dyh10giEmO9NemH4YZk+iMIln+ItcEay9CGWMXSen9UQLpcQHQqMJErZiPK4qPZaRWwqckLqriCl9X8x9OE7jKIsO2Ibapwj+1Jo=
</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>OpWQgQbq2wBZEGYAeV8WF82yz6q5WNFIj3rcuQ8gT0MP97aO9SHIZWwNggSEi2Ywi4oMaHX9p0NaJXG76aoMR9L/WasAxEwzQz3fexFgFSrGPful/5txSPTAGcqUb1PEBVlB9CA71UXIGVCPTiwF7zYDu8sSHhWa0fNXqVHHdLQYy1DfhXS3cO61vW5e/KYmKOGA4mjqT0VZaXgb9tVeGBDhjPh5ZlrLMNfYSozeJ+m2Lsm7hnF6VvFm3fFMXa6+h0JTHeCXBdmzg/vQb0u3oejSGzB4ly+V9O0T4Yxkwn9KVDW58PHOeRT2//3iZfJfWV2NZ4e6vj4Byjf81o3JVNgRjmm9hr9blVbbT3Q8/j5zJ+TElCn6zPHvnuB70iG2KPJXqAj2GBzBk6cHq+WNebOQNWIb7dTPumuZK0yW1XDZ5gkfBuqgn8hmosTE7mCvieP9rgATf6qgLgdA6zYyVV6WDjo1qbCV807lczxa3bF5KzKaVUSq5FS1SpdZKAE6/kkr0Ps++CE=
</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
You can this article for more information
Related
i want to encrypt the connectionstring section of my web.config. i have tried to do this by following the below steps:
Open Developer Command Prompt for VS2013
aspnet_regiis -pef "connectionStrings" -app "/E:\New folder\WebApplication1\WebApplication1"
it is thorwing me error "a configuration file cannot be created for the requested configuration object. failed"
I did some google but i am not able to get why i am facing this. i have tried to change the permissions of website folder?
do i need to set the website in IIS?
please help me to solve this issue.
thanks in advance.
<configuration>
<configProtectedData defaultProvider="SampleProvider">
<providers>
<add name="SampleProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
keyContainerName="SampleKeys"
useMachineContainer="true" />
</providers>
add above section into web.config.
Open Developer Command Prompt for VS2013
change directory to C:\Windows\Microsoft.NET\Framework\v4.0.30319 using
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
run the following command
aspnet_regiis -pef "connectionStrings" "E:\New folder\WebApplication2\WebApplication2"
It encrypt the connection string. :)
I have the following encrypted identity tag in my web config file-:
<identity configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>iafzB3KzsJNARz+5zffLyV2Rzuu/UjLdFr3D8jHfJHKGC6u3jlFB8f/FeveEsQqNP981rbFafKlXXdyG/DGMMkowWbnkQVYaffIUDkvk19jIntsFqufWYJWOO95CceKjjZPeNHh8FCadp1et5Th/mCUtz8xsQ9s8e92t64J8jlg=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>MWlwJley/C3TbezWLE+wPHo22L1Tog6xCTm999SoWkUzvIz+FdrVgBw3+x5GexO7BNG6KycamWqSdCl+1pD4a/rWfYbY26We5AgrPh20kTN7WKf9noFmCg==</CipherValue>
</CipherData>
</EncryptedData>
</identity>
I want to know that what keyword should i use in this command prompt to decrypt identity section in web config?
currently i am using this-:
C:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -pdf identity C
:\inetpub\vhosts\kimpolling.nl\httpdocs
But it is not working.
You can decrypt the encrypted Web.config file contents, if you want to, by running aspnet_regiis.exe with the -pdoption. The syntax is the same as the syntax for encrypting Web.config file contents with the -pe option, except that you do not specify a Protected Configuration provider.
Example:
aspnet_regiis -pd "connectionStrings" -app "/MyApplication"
The above will decrypt the connectionStrings.
Reference
I need to encrypt part of our web.config for our ASP.Net 4.0 project, but we are required to use AES and the default appears to be Triple DES. How can I tell it to use AES encryption instead?
In the command prompt I do the following commands:
aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp
aspnet_regiis -pe "connectionStrings" -app "/<myapp>"
I figure I set the encryption method to AES by selecting the appropriate CSP (-csp) but I haven't been able to find or figure out the name of the right one.
And one of the lines in the encrypted web.config is:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
The provider is selected using the -prov parameter to aspnet_regiis. The providers are registered in the web/machine.config using the configProtectedData section. In order to register AES you would use something like this:
<configProtectedData>
<providers>
<add name="AesProvider"
type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider"
description="Uses an AES session key to encrypt and decrypt"
keyContainerName="iisConfigurationKey" cspProviderName=""
useOAEP="false" useMachineContainer="true"
sessionKey="aSessionKeyGoesHere" />
</providers>
</configProtectedData>
On my machine RSA and DPAPI are the preconfigured algorithms in machine.config.
Provided that the AES provider is registered you should be able to encrypt a config section using:
aspnet_regiis -pe "connectionStrings" -app "/<myapp>" -prov "AesProvider"
I have "Class library projet" which works as HttpHandler later at a webserver. So I have locally 2 files app.config (for local dev, because it is a dll) and web.config (for remote web server).
So now I wanted to encrypt config file. Everything was encrypted and imported at remote web server. But the handler doesn't work. I receive an error: "Failed to decrypt using provider 'My_Provider'. Error message from the provider: The RSA key container could not be opened."
At my dev PC everything works fine. What is wrong?
So this my export steps
cd %windir%\Microsoft.NET\Framework\v4.0.30319
aspnet_regiis -pc "My_Keys" -exp
aspnet_regiis -pa "My_Keys" "IIS APPPOOL\CustomAppPool"
aspnet_regiis -pef "connectionStrings" "HandlerProjectPath" -prov
"My_Provider"
aspnet_regiis -px "MyKeys" "HandlerProjectPath\MyKeys.xml" -pri
pause
these are import step
%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pi
"My_Keys" "MyKeys.xml"
pause
p.s. My handler works at IIS 7 inside my custom AppPool with name "CustomAppPool". I specially created an app pool name at my PC.
this is my configData
Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
keyContainerName="My_Keys"
useMachineContainer="true" />
</providers> </configProtectedData>
Thanks in advance!
I think you need to grant access to the container to the IIS Identity assigned to your AppPool, after you import the key pair.
I'm receiving the following error when trying to access a web service that is using (for temporary reasons) an encrypted system.web/identity entry:
Failed to decrypt using provider 'DataProtectionConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.
I've followed the steps found in comments at http://blogs.msdn.com/mosharaf/archive/2005/11/17/protectedConfiguration.aspx, and these are the steps I've done:
Added "xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"" to the configuration attribute in the web service's web.config
Create a container using aspnet_regiis -pc "DataProtectionConfigurationProviderKeys" -exp
Added the following to the web.config:
<configProtectedData>
<providers>
<clear />
<add name="DataProtectionConfigurationProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,processorArchitecture=MSIL"
keyContainerName="DataProtectionConfigurationProviderKeys"
useMachineContainer="true" />
</providers>
</configProtectedData>
Granted access to the key container to the account IIS is running under: aspnet_regiis -pa "DataProtectionConfigurationProviderKeys" "eca\iusr_xxxxx". I also granted access to the impersonated account (e.g. the one in the identity attribute) using the same command.
I then encrypted the system.web/identity entry: aspnet_regiis -pef "system.web/identity" "C:\ddrive\EcaDevelopment\EcaApplicationsNet2\Projects\TASV2\Mainline\src\TASV2.WordToPdf.WebSvc" -prov "DataProtectionConfigurationProvider"
But, when I try to run my test harness against the web service, I get:
Failed to decrypt using provider 'DataProtectionConfigurationProvider'. Error message from the provider: The RSA key container could not be opened.
What have I missed out? Can I actually encrypt just the identity tag? I can encrypt and use the connectionStrings no problem...