Asp.net 2.0 deployment with encryption

Discussion in 'ASP .Net' started by Chuck P, Apr 18, 2006.

  1. Chuck P

    Chuck P Guest

    I need to deploy and asp.net 2.0 application that has dpapi/machine
    encrypted connection strings.

    I tried using the VS Build Publish menu selection and then putting the
    encryption in the global.asax application_start event. Unfortunately
    this errors because the asp.net account doesn't have write permissions
    to web.config. I'd rather not give permissions to the account.

    I tried writing a batch file to compile and then encrypt the
    application. That doesn't work because the compile machine is not the
    same as the deployment machine and the machine keys are naturally
    different.

    Is there a way to automate the deployment process so that the deployer
    doesn't have to remote on to the server where the app is to be
    deployed?

    thanks,
     
    Chuck P, Apr 18, 2006
    #1
    1. Advertising

  2. Hi Chuck,

    Thank you for posting and glad to see you again.

    As for the ASP.NET 2.0 configuration section protection, it provides two
    encryption approachs, DPAPI and RSA. I think the current approach you're
    using is the DPAPI one which is mentioend in the following article, correct?

    #How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
    http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000005.asp?frame=tr
    ue

    As for this data protection, it is something like a symmetic data
    encryption which use a single shared session key to encrypt and decrypte
    the data. Also, this session key is machine specific(or user storespecific)
    which make it not portable from machine to machine. So when you're using
    this approach(DPAPI) to protect the configuration section, we should do the
    final encrypting work on the deploymenet server rather than on the
    development server(where you compile the applcation). And normally, the
    work (execute the aspnet_regiis tool from commandline to encrypt the
    application's configuration sectino) is done by the deployment server's
    administrator.

    Then, what shall we do if we want to make the encrypting work done at
    before the application be deployed to the target deployment server (on
    development server)? Well, this brings out the second option------ RSA
    data encryption approach. Actually you can also find the above
    article(about DPAPI approach mentioned this in the final section , about
    protect configuration data in WEBFARM scenario).

    The RSA approach is just based on RSA asymmetric data encryption/decryption
    which use a public/private key pair. So when we want to make multiple
    webservers share the protection key setting(e.g do the encryption on the
    web.conifig file on one server, and when deploy it to other servers, also
    want the protected data be usable without additional work), we can create a
    custom RSA key pair, and on the development server, we still use the
    aspnet_regiis tool to encrypt the web.config use the created RSA key pair's
    public key, and export the private key(which is necessary for decrpyting
    the data) to other servers which will want to decrypt the data(for your
    scenario, it's the deployment server). And all the tasks mentioned here
    like creating the RSA key pair, encrypte through it, or export it can be
    done via the aspnet_regiis tool.

    Here is another MSDN article which mentioned using RSA approach to do the
    configuration protection (also be referenced in the above article):

    #How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
    http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000006.asp?frame=tr
    ue

    Hope this helps you.

    Regards,

    Steven Cheng
    Microsoft Online Community Support


    ==================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Apr 19, 2006
    #2
    1. Advertising

  3. Chuck P

    Chuck P Guest

    Thanks, Steven

    I had read the web farm stuff, but didn't think of using it since I
    don't have a web farm.

    I guesss I will create a rsa key on the production server.

    Export the public xml/key to a common location on some server.

    Write a batch file on the development machine that compiles the app
    and then encrypts the web.config using the xml file on the production
    server.

    That way any developer can deploy the app and I don't have to give the
    aspnet account any write permissions.


    On Wed, 19 Apr 2006 10:37:15 GMT, (Steven
    Cheng[MSFT]) wrote:

    >Hi Chuck,
    >
    >Thank you for posting and glad to see you again.
    >
    >As for the ASP.NET 2.0 configuration section protection, it provides two
    >encryption approachs, DPAPI and RSA. I think the current approach you're
    >using is the DPAPI one which is mentioend in the following article, correct?
    >
    >#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
    >http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000005.asp?frame=tr
    >ue
    >
    >As for this data protection, it is something like a symmetic data
    >encryption which use a single shared session key to encrypt and decrypte
    >the data. Also, this session key is machine specific(or user storespecific)
    >which make it not portable from machine to machine. So when you're using
    >this approach(DPAPI) to protect the configuration section, we should do the
    >final encrypting work on the deploymenet server rather than on the
    >development server(where you compile the applcation). And normally, the
    >work (execute the aspnet_regiis tool from commandline to encrypt the
    >application's configuration sectino) is done by the deployment server's
    >administrator.
    >
    >Then, what shall we do if we want to make the encrypting work done at
    >before the application be deployed to the target deployment server (on
    >development server)? Well, this brings out the second option------ RSA
    >data encryption approach. Actually you can also find the above
    >article(about DPAPI approach mentioned this in the final section , about
    >protect configuration data in WEBFARM scenario).
    >
    >The RSA approach is just based on RSA asymmetric data encryption/decryption
    >which use a public/private key pair. So when we want to make multiple
    >webservers share the protection key setting(e.g do the encryption on the
    >web.conifig file on one server, and when deploy it to other servers, also
    >want the protected data be usable without additional work), we can create a
    >custom RSA key pair, and on the development server, we still use the
    >aspnet_regiis tool to encrypt the web.config use the created RSA key pair's
    >public key, and export the private key(which is necessary for decrpyting
    >the data) to other servers which will want to decrypt the data(for your
    >scenario, it's the deployment server). And all the tasks mentioned here
    >like creating the RSA key pair, encrypte through it, or export it can be
    >done via the aspnet_regiis tool.
    >
    >Here is another MSDN article which mentioned using RSA approach to do the
    >configuration protection (also be referenced in the above article):
    >
    >#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
    >http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000006.asp?frame=tr
    >ue
    >
    >Hope this helps you.
    >
    >Regards,
    >
    >Steven Cheng
    >Microsoft Online Community Support
    >
    >
    >==================================================
    >
    >When responding to posts, please "Reply to Group" via your newsreader so
    >that others may learn and benefit from your issue.
    >
    >==================================================
    >
    >
    >This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
    >
    >
    >
     
    Chuck P, Apr 19, 2006
    #3
  4. Thanks for your response Chuck,

    Yes, the webfarm/RSA approach also open the way we make the encrypted
    configuration readable on other server as long as we export the correct RSA
    key to the target server machine.

    Good luck!

    Regards,

    Steven Cheng
    Microsoft Online Community Support


    ==================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.



    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Apr 20, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Spencer
    Replies:
    5
    Views:
    579
    George Birbilis
    Dec 27, 2003
  2. David
    Replies:
    1
    Views:
    588
    Steve C. Orr [MVP, MCSD]
    Sep 2, 2005
  3. Benny Ng
    Replies:
    0
    Views:
    4,481
    Benny Ng
    Oct 3, 2005
  4. Bishoy George
    Replies:
    4
    Views:
    3,131
    Karl Seguin
    Oct 6, 2005
  5. =?Utf-8?B?YW5vb3A=?=
    Replies:
    0
    Views:
    441
    =?Utf-8?B?YW5vb3A=?=
    Mar 19, 2007
Loading...

Share This Page