stackoom
  简体   繁体   中英

Encrypting <appSettings> tags in web.config file

 原文  2013-04-20 16:53:44       c#/ .net/ encryption/ key

Question

I have recently come across this article which describes the process of encrypting the connectionString tags in the web.config file:

http://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/

I have used the same method to encrypt the appSettings tag in the web.config file containing my encryption key.

My question is, if I give the project to someone else who will run it on a different machine, would they be able to use the reverse process to decrypt the appSettings tag in the web.config file using aspnet_regiis tool? If not, will the project still work on his machine?

This is how I am retrieving the encryption key in my code: 

string block_size = ConfigurationManager.AppSettings["rgbIV"];
string encryption_key = ConfigurationManager.AppSettings["key"];

2 answers

solution1
 4 ACCPTED  2013-04-20 17:07:05

Docs confirm that depending on the encryption provider I might be right:

http://www.asp.net/web-forms/tutorials/data-access/advanced-data-access-scenarios/protecting-connection-strings-and-other-configuration-information-vb

Note: Since we are using the DPAPI provider, which uses keys specific to the computer, you must run aspnet_regiis.exe from the same machine from which the web pages are being served. For example, if you run this command line program from your local development machine and then upload the encrypted Web.config file to the production server, the production server will not be able to decrypt the connection string information since it was encrypted using keys specific to your development machine. The RSA provider does not have this limitation as it is possible to export the RSA keys to another machine.

So for RSA some keys are used - and without these keys the 3rd party will have a useless mess of data.

solution2
 2  2013-04-20 17:48:15

There are two types of encryption: symmetric and asymmetric.

Given you release an encrypted version of web.config symmetric encryption will not be practically possible to decrypt as it is machine-specific (encrypted on one machine, can only be decrypted on that particular machine or even by specific user).

Asymmetric encryption (RSA) allows you to securely share web.config. Given you provide a private key, the recipient will be able to decrypt the content. If you do not share the private key it is practically impossible to get anything but random junk.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Encrypting passwords in web.config appSettings without ASPNET_REGIIS Web.config appsettings Web.Config <appSettings file=“”> question Encrypting Web.Config Encrypting connectionStrings in a web.config file Encrypting App.config / Web.config file nunit and web.config appSettings Json in Web.Config AppSettings Encrypting web.config sections Encrypting a web.config file and supplying the path to the file
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM