MSMQ。在邮件存储在驱动器上时保持邮件正文加密
[英]MSMQ. Keep message body encrypted while it is stored on drive
问题描述
My project require to keep all data encrypted, so MSMQ needs to be encrypted too. 
我的项目需要保持所有数据加密,因此MSMQ也需要加密。 But as it is known from the article ( https://msdn.microsoft.com/en-us/library/ms704178(v=vs.85).aspx ) messages from private queues are stored by default in …\\MSMQ\\Storage\\p000000x.mq file. 但是从文章( https://msdn.microsoft.com/en-us/library/ms704178(v=vs.85).aspx )中可以看出来自私有队列的消息默认存储在... \\ MSMQ \\ Storage中\\ p000000x.mq文件。
When I configure a private queue, set its privacy level to "Body", and when I send encrypted message to this queue, then I open the …\\MSMQ\\Storage\\p000000x.mq file in text viewer (I use Far Manager hex redactor), I see plain text of message. 配置专用队列时,将其隐私级别设置为“Body”,当我将加密消息发送到此队列时,我在文本查看器中打开... \\ MSMQ \\ Storage \\ p000000x.mq文件(我使用远程管理器十六进制编辑器) ),我看到消息的纯文本。 It is not encrypted. 它没有加密。 To send message I use next code: 要发送消息我使用下一个代码:
message.UseEncryption = true;
message.EncryptionAlgorithm = EncryptionAlgorithm.Rc2;
The message …\\MSMQ\\Storage\\p000000x.mq stays plain, despite message encryption specified. 尽管指定了消息加密,但消息... \\ MSMQ \\ Storage \\ p000000x.mq保持畅通。 See the picture below. 见下图。
So my question: Is there some built-in tool to keep message encrypted on drive in …\\MSMQ\\Storage\\p000000x.mq file?
所以我的问题是:是否有一些内置工具可以在... \\ MSMQ \\ Storage \\ p000000x.mq文件中将邮件加密到驱动器上? Or I need to encrypt message body before sending to queue, and then, when peek from the queue, I need to decrypt it? 或者我需要在发送到队列之前加密消息体,然后,当从队列中查看时,我需要解密它吗?
Thanks a lot! 非常感谢!
2 个解决方案
解决方案1
4 已采纳 2015-12-17 23:49:20
Yes, you will need to encrypt the data BEFORE putting it into a message and then decrypt the data AFTER reading the message. 是的,您需要在将数据放入消息之前加密数据,然后在读取消息后解密数据。
"Using Application Encryption on the Data" http://blogs.msdn.com/b/johnbreakwell/archive/2008/09/12/sending-encrypted-msmq-messages.aspx “在数据上使用应用程序加密” http://blogs.msdn.com/b/johnbreakwell/archive/2008/09/12/sending-encrypted-msmq-messages.aspx
解决方案2
2 2016-10-06 00:45:30
Because Microsoft Windows supports folder encryption for multiple users† through NTFS Encrypting File System (EFS), I was able to leverage this transparent encryption mechanism to support encryption of the MSMQ storage folder and therefore minimise the surface area of user access to data inside files that comprise message bodies and fragments of otherwise readable text in the *.mq files. 由于Microsoft Windows支持多个用户的文件夹加密†通过NTFS 加密文件系统 (EFS),我能够利用这种透明加密机制来支持MSMQ存储文件夹的加密,从而最大限度地减少用户访问文件内部数据的表面区域包含* .mq文件中的消息正文和其他可读文本的片段。
This solution is one alternative I devised for private queues (with no domain integration) to be transparently encrypted and without resorting to Application-Encrypted Messages or to custom encryption by the application . 此解决方案是我为私有队列(没有域集成)设计的一种替代方案,可以透明地加密,而无需借助应用程序加密消息或应用程序进行自定义加密 。 It actually affects all queues on the system because the entire storage location for the MSMQ instance is encrypted. 它实际上会影响系统上的所有队列,因为MSMQ实例的整个存储位置都是加密的。
This solution continues to allow use of the MSMQ snap-in to view messages in queues for users who have been assigned permissions to do so, without them seeing garbled or encrypted text in the viewer. 此解决方案继续允许使用MSMQ管理单元查看已分配权限的用户在队列中的消息,而不会在查看器中看到乱码或加密的文本。
Note that this solution asks you to make a new storage location on disk for the MSMQ because I had issues when trying to encrypt and convert the default storage location which is under Windows/System32.
These are the steps I take to make EFS technology work for a transparently encrypted MSMQ solution: 以下是我使EFS技术用于透明加密的MSMQ解决方案的步骤:
(This information assumes you know where to find your Message Queue Manager to configure the service with, and how to carry out some other basic Windows admin tasks or to find out how to do so) (此信息假定您知道在哪里可以找到Message Queue Manager来配置服务,以及如何执行其他一些基本的Windows管理任务或了解如何执行此操作)
Log into the machine as an administrator (assuming the Message Queuing service is already installed, if not then install it from Windows Programs and Features).
以管理员身份登录计算机(假设已安装消息队列服务,如果没有,则从Windows程序和功能部件安装)。 Take note of the user account the Message Queuing service is running under (ie Network Service).
记下运行消息队列服务的用户帐户(即网络服务)。 You will need this in a following step... 您将在以下步骤中需要它... Create an alternate storage folder on disk for msmq eg C:\\msmq-storage
在磁盘上为msmq创建备用存储文件夹,例如C:\\ msmq-storage Assign your administrator user to the new folder with Full Control permission.
将管理员用户分配给具有“完全控制”权限的新文件夹。 Assign the service user account (noted in Step 2 eg Network Service) Full Control permission to the folder also.
分配服务用户帐户(在步骤2中注明,例如网络服务)对文件夹的完全控制权限。
( This is a very important step because it gives the MSMQ service user account access to the encrypted contents of the message files. )( 这是非常重要的一步,因为它使MSMQ服务用户帐户可以访问消息文件的加密内容。 ) Encrypt the folder by going to its properties and enabling the Encrypt checkbox.
通过转到其属性并启用“加密”复选框来加密文件夹。 The folder is now encrypted and may show in a different colour. 该文件夹现在已加密,可能会以不同的颜色显示。
( You can test this by logging in as a different user on the machine and trying to access the contents of the encrypted files, resulting in an 'Access denied' message. )( 您可以通过在计算机上以其他用户身份登录并尝试访问加密文件的内容来测试此操作,从而导致“拒绝访问”消息。 ) Now use the MSMQ Manager to re-point its storage locations (all of them) to the new encrypted folder you just created on disk (and away from the default or current storage location wherever that might be).
现在使用MSMQ Manager将其存储位置(所有这些)重新指向刚刚在磁盘上创建的新加密文件夹(并且远离默认或当前存储位置)。 The change will prompt you to restart the service. 此更改将提示您重新启动该服务。 Say Yes. 说是的。
If you discover any problems with this solution please post here in the comments. 如果您发现此解决方案有任何问题,请在评论中发布。 Thank you. 谢谢。
† I tested this solution on both Win 7 workstation & Windows 2008 R2 Server by writing to and reading from the queue using a basic .NET application outlined in this article about how to write a bare minimum message queue app . † 我在Win 7工作站和Windows 2008 R2 Server上测试了这个解决方案,使用本文中概述的基本.NET应用程序写入和读取队列, 了解如何编写最小的消息队列应用程序 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.