用户如何加密服务应用程序使用的配置文件?
[英]How can a user encrypt a configuration file to be used by a service application?
问题描述
Ok, I'm asking a rather generic question to a specific problem. 
好的,我问一个特定问题的相当普遍的问题。 I have searched this in more ways than I can count, and nothing seems to work. 我用更多的方式搜索了这个,而且似乎没什么用。 Let me explain my need and then I'll mention a few of the best solutions I've found and why they don't work in my case. 让我解释一下我的需求,然后我会提到一些我找到的最佳解决方案,以及为什么它们在我的情况下不起作用。
I have an application that a user launches and uses to set up various configuration values that are saved into an app.config file. 我有一个用户启动并用于设置保存到app.config文件中的各种配置值的应用程序。 This is a WPF application. 这是一个WPF应用程序。 Specifically, some of this data are HIGHLY sensitive. 具体而言,这些数据中的一些非常敏感。
This data needs to encrypted and subsequently decrypted by a Windows Service that will be launched by the application once the configuration step is finished. 此数据需要加密,然后由配置步骤完成后由应用程序启动的Windows服务解密。 The general solution given for this scenario is to use DPAPI, which has two modes for encryption: User and Local Machine. 给出这种情况的一般解决方案是使用DPAPI,它有两种加密模式:用户和本地机器。
If you use User-level encryption, your application will encrypt and decrypt data as much as it desires, as long as the current user that initially encrypts the data is doing the decryption . 如果使用用户级加密, 只要最初加密数据的当前用户正在进行解密 ,您的应用程序就会根据需要对数据进行加密和解密 。 My problem is that when the service is started, it also restarts on reboots and will specifically be running under a different user account. 我的问题是,当服务启动时,它也会在重新启动时重新启动,并且将特别在不同的用户帐户下运行。
The next approach, using DPAPI, is to encrypt the data as the Local Machine. 使用DPAPI的下一种方法是将数据加密为本地计算机。 This means that when ANYONE logs into the machine can decrypt the sensitive data. 这意味着当ANYONE登录到机器时可以解密敏感数据。 This is a BIG no-no! 这是一个大禁忌!
What I need is to have a way for a user to specify the data he wants to encrypt and then specify an account (in this case, what will be the service account) and use it for data encryption. 我需要的是让用户有一种方法来指定他想要加密的数据,然后指定一个帐户(在这种情况下,将是什么服务帐户)并将其用于数据加密。
I can't find how to do this. 我找不到怎么做。 This MSDN article alludes that can be done. 这篇MSDN文章暗示可以做到。 (See section 'Web Farm Scenarios'.) The TL;DR on that article is that for ASP.Net applications, you can use the RsaProtectedConfigurationProvider to encrypt your data, and export the keys to be used with a specific web account. (请参阅“Web场景方案”一节。)该文章的TL; DR是针对ASP.Net应用程序的,您可以使用RsaProtectedConfigurationProvider加密数据,并导出要与特定Web帐户一起使用的密钥。 This is close to what I want, but in my case I need to create the data in a WPF application and store it to be used in a Windows Server Service. 这接近我想要的,但在我的情况下,我需要在WPF应用程序中创建数据并将其存储以用于Windows Server服务。
How can this be done? 如何才能做到这一点?
3 个解决方案
解决方案1
0 2016-11-19 13:54:54
使用帐户名作为加密的salt,decyption应使用登录的帐户名作为解密的salt。
解决方案2
0 2016-11-19 14:08:11
i have a suggestion , you can create User group add required users into that group. 我有一个建议,您可以创建用户组将所需的用户添加到该组。 And encrypt and decrypt data only if user is part of that group using second method. 仅当用户使用第二种方法成为该组的一部分时才加密和解密数据。
解决方案3
0 已采纳 2016-11-21 12:24:00
You can accomplish something similar to this using something as mundane as EFS, but unlike raw DPAPI, a recovery key might bypass the protection. 您可以使用与EFS一样平凡的东西来完成与此类似的操作,但与原始DPAPI不同,恢复密钥可能会绕过保护。 In either case, a local admin could replace your program with his own and it would have full access to the decrypted data. 在任何一种情况下,本地管理员都可以用自己的程序替换您的程序,并且可以完全访问解密的数据。
As for setting this up, the easiest way to do that would be to interactively log on with the service account and either create the protected data using System.Security.Cryptography.ProtectedData or create a file in a directory marked with the "encrypt" attribute. 至于设置它,最简单的方法是使用服务帐户以交互方式登录,并使用System.Security.Cryptography.ProtectedData创建受保护的数据,或者在标有“encrypt”属性的目录中创建文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.