Asp.net 2.0 deployment with encryption

[Chuck P]

I need to deploy and asp.net 2.0 application that has dpapi/machine
encrypted connection strings.

I tried using the VS Build Publish menu selection and then putting the
encryption in the global.asax application_start event. Unfortunately
this errors because the asp.net account doesn't have write permissions
to web.config. I'd rather not give permissions to the account.

I tried writing a batch file to compile and then encrypt the
application. That doesn't work because the compile machine is not the
same as the deployment machine and the machine keys are naturally
different.

Is there a way to automate the deployment process so that the deployer
doesn't have to remote on to the server where the app is to be
deployed?

thanks,

 

[Steven Cheng[MSFT]]

Hi Chuck,

Thank you for posting and glad to see you again.

As for the ASP.NET 2.0 configuration section protection, it provides two
encryption approachs, DPAPI and RSA. I think the current approach you're
using is the DPAPI one which is mentioend in the following article, correct?

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000005.asp?frame=tr
ue

As for this data protection, it is something like a symmetic data
encryption which use a single shared session key to encrypt and decrypte
the data. Also, this session key is machine specific(or user storespecific)
which make it not portable from machine to machine. So when you're using
this approach(DPAPI) to protect the configuration section, we should do the
final encrypting work on the deploymenet server rather than on the
development server(where you compile the applcation). And normally, the
work (execute the aspnet_regiis tool from commandline to encrypt the
application's configuration sectino) is done by the deployment server's
administrator.

Then, what shall we do if we want to make the encrypting work done at
before the application be deployed to the target deployment server (on
development server)? Well, this brings out the second option------ RSA
data encryption approach. Actually you can also find the above
article(about DPAPI approach mentioned this in the final section , about
protect configuration data in WEBFARM scenario).

The RSA approach is just based on RSA asymmetric data encryption/decryption
which use a public/private key pair. So when we want to make multiple
webservers share the protection key setting(e.g do the encryption on the
web.conifig file on one server, and when deploy it to other servers, also
want the protected data be usable without additional work), we can create a
custom RSA key pair, and on the development server, we still use the
aspnet_regiis tool to encrypt the web.config use the created RSA key pair's
public key, and export the private key(which is necessary for decrpyting
the data) to other servers which will want to decrypt the data(for your
scenario, it's the deployment server). And all the tasks mentioned here
like creating the RSA key pair, encrypte through it, or export it can be
done via the aspnet_regiis tool.

Here is another MSDN article which mentioned using RSA approach to do the
configuration protection (also be referenced in the above article):

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000006.asp?frame=tr
ue

Hope this helps you.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Chuck P]

Thanks, Steven

I had read the web farm stuff, but didn't think of using it since I
don't have a web farm.

I guesss I will create a rsa key on the production server.

Export the public xml/key to a common location on some server.

Write a batch file on the development machine that compiles the app
and then encrypts the web.config using the xml file on the production
server.

That way any developer can deploy the app and I don't have to give the
aspnet account any write permissions.

 

[Steven Cheng[MSFT]]

Thanks for your response Chuck,

Yes, the webfarm/RSA approach also open the way we make the encrypted
configuration readable on other server as long as we export the correct RSA
key to the target server machine.

Good luck!

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)