Method to encrypt Config under asp.net

  • 2020-05-10 18:03:21
  • OfStack

 
<appSettings> 
<!--  Whether the connection string is encrypted  --> 
<add key="ConStringEncrypt" value="false"/> 
<!--  Concatenation string ,( Support for different databases can be extended ) If it's encrypted, up here 1 The item is set to true If it's clear text server=127.0.0.1;database=codematic;uid=sa;pwd=, The top is set to false --> 
<add key="ConnectionString" value="Data Source=|DataDirectory|\wm.mdb;Persist Security Info=True"/> 
<!-- Permission module connection string --> 
<add key="ConnectionStringAccounts" value="Data Source=|DataDirectory|\wm.mdb;Persist Security Info=True"/> 
<add key="ConnectionString2" value="Data Source=|DataDirectory|\wm.mdb;Persist Security Info=True"/> 
<!-- Virtual directory name ( If it is a site, it is empty ) --> 
<add key="VirtualPath" value=""/> 
<!-- Login page address  --> 
<add key="LoginPage" value="admin/Login.aspx"/> 
<!-- Is the default menu expanded --> 
<add key="MenuExpanded" value="false"/> 
<!-- Entity object content slow village time (min) --> 
<add key="ModelCache" value="30"/> 
</appSettings> 

In asp.net2.0, the ability to encrypt part of the data in web.config has been added, which can be encrypted using RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider. This article describes the steps to encrypt using RSAProtectedConfigurationProvidert and computer-level key containers.
1. First determine whether the configuration section in web.config to be encrypted can be encrypted
2. Create the RSA key container
3. Identify the key container to use in web.config
4. Encrypt web.config
5. Grant access to the RSA key container
Step 1: first determine whether the configuration section in web.config to be encrypted can be encrypted
ASP.NET 2.0 supports encryption of part of the Web.config configuration section. Data in the following configuration sections cannot be encrypted:
 
* <processModel> 
* <runtime> 
* <mscorlib> 
* <startup> 
* <system.runtime.remoting> 
* <configProtectedData> 
* <satelliteassemblies> 
* <cryptographySettings> 
* <cryptoNameMapping> 
* <cryptoClasses> 

Step2: create the RSA key container
To create an RSA key container, use the ASP.NET IIS registration tool (Aspnet_regiis.exe) and the wokpc switch. You must specify a name for the key container that identifies the key container used by the RsaProtectedConfigurationProvider specified in section configProtectedData of the application's Web.config file. To ensure that you can export the newly created RSA key container, you must include the -exp option.
For example, the following command creates an RSA key container named ABeenKeys, which is an exportable computer-level key container.
aspnet_regiis - pc "ABeenKeys" � exp
Step 3: Modify web.config to identify the key container
Edit the Web.config file to identify the key container to use
In web.config < configProtectedData > To configure the key container using the computer level RSA key container named ABeenKeys
in < configuration > The xmlns attribute is added in
< configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0" >
saProtectedConfigurationProvider using the computer level RSA key container named ABeenKeys.
 
<configProtectedData > 
<providers> 
<add name="ABeenProvider" 
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,Culture=neutral, processorArchitecture=MSIL" 
keyContainerName="ABeenKeys"/> 
</providers> 
</configProtectedData> 

Step 4: Encrypt the < connectionStrings > section of your web.config file
Encrypt the configuration section in your web.config file
> aspnet_regiis-pe "connectionStrings" -app "/connectionTest"
Step 5: grants access to the RSA key container
You can use the following code to determine which user rights should be given
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
By default, the RSA key container is tightly protected by the NTFS access control list (ACL) on the server where it resides. This can increase the security of encrypted information by limiting who can access the encryption key. The ASP.NET application process id must be granted read access to the RSA key container before ASP.NET can use the RSA key container. You can use the Aspnet_regiis.exe tool and the -pa switch to grant the es1225en.NET application's identity to read the RSA key container. For example, the following command grants read access to a computer-level RSA key container named ABeenKeys to the Windows Server 2003 NETWORK SERVICE account:
aspnet_regiis -pa "ABeenKeys" "NT AUTHORITY\NETWORK SERVICE"
Note:
If the RSA key container is a user-level container, you must log in as the user whose Windows profile stores the key, and you must include the -pku option to grant access to the user-level RSA key container.
To use the default RsaProtectedConfigurationProvider specified in the computer configuration, you must first grant the application's Windows identity access to the computer key container named NetFrameworkConfigurationKey, which is the key container specified for the default provider. For example, the following command grants the NETWORK SERVICE account access to the RSA key container used by the default RsaProtectedConfigurationProvider.
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
The NetFrameworkConfigurationKey RSA key container is the default key container for commands issued by the Aspnet_regiis.exe tool. Therefore, the above orders can also be issued in the following manner:
aspnet_regiis -pa "NT AUTHORITY\NETWORK SERVICE"

Related articles: