Azure配置设置比Web.Config安全吗?
[英]Azure Configuration Settings More Secure than Web.Config?
问题描述
I'm using Azure Cloud Services, not Web Sites. 
我使用的是Azure云服务,而不是网站。
I would like to know if storing sensitive data (passwords) in Azure Service Configuration Settings is secure. 我想知道在Azure服务配置设置中存储敏感数据(密码)是否安全。
I really don't want to implement the 4-part blog series required to encrypt the web.config in Azure Web Roles, so I'm thinking I could just keep my settings in Azure config and then access them through RoleEnvironment.GetConfigurationSettingValue() . 我真的不想实现在Azure Web Roles中加密web.config所需的4部分博客系列,因此我想我可以将设置保留在Azure config中,然后通过RoleEnvironment.GetConfigurationSettingValue()访问它们。
These settings are in a config file much like web.config, so my question is whether this config file is just used to build the cloud service and then discarded, or if it stays on disk during the life of the instance (thereby exposing sensitive data to attack). 这些设置位于与web.config相似的配置文件中,因此我的问题是此配置文件是否仅用于构建云服务然后丢弃,还是在实例生命周期内保留在磁盘上(从而暴露敏感数据)去攻击)。
I like the ability to update these settings at runtime through the Portal and I consider the Portal a secure endpoint, so I'm OK with it. 我喜欢在运行时通过门户网站更新这些设置的功能,并且我认为门户网站是一个安全的端点,因此我对此很满意。 However, if the file stays on disk then it is no more secure than the web.config file IMHO. 但是,如果文件保留在磁盘上,则它比web.config文件IMHO安全得多。
2 个解决方案
解决方案1
4 2014-07-29 16:28:12
We encrypt/decrypt Azure config settings and other content using the domain certificate installed on the web roles. 我们使用Web角色上安装的域证书对Azure配置设置和其他内容进行加密/解密。 I posted a full example on my blog here: Securing Azure ServiceConfiguration values for Enterprise Deployment . 我在这里的博客上发布了一个完整的示例: 保护企业部署的Azure ServiceConfiguration值 。
解决方案2
0 2015-07-26 05:12:47
I created a feature request: http://feedback.azure.com/forums/34192--general-feedback/suggestions/9025255-certificate-based-settings-encryption 我创建了一个功能请求: http : //feedback.azure.com/forums/34192--general-feedback/suggestions/9025255-certificate-based-settings-encryption
This is similar (but more idiomatic, imho) to what Remote Desktop plugin does. 这与远程桌面插件的功能类似(但更惯用了,恕我直言)。 Remote Desktop adds: 远程桌面添加:
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="<name-of-user-account>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="<base-64-encrypted-password>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="<certificate-expiration>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="<certificate-thumbprint>" thumbprintAlgorithm="sha1" />
</Certificates>
RDP plugin "knows" Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword value is encrypted will use the certificate Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption to decrypt it. RDP插件“知道” Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword值已加密,将使用证书Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption进行解密。
My feature request is to add attribute named thumbprint to <Setting /> node. 我的功能请求是将名为thumbprint属性添加到<Setting />节点。 Calls to CloudCloudConfigurationManager.GetSetting() would seamlessly decrypt the value using the certificate indicated. 调用CloudCloudConfigurationManager.GetSetting()将使用指示的证书无缝解密该值。
How wonderful that would be... 那将是多么美妙...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.