rsa encrtyption

C

Chuck P

I created a key for encrypting my web.config

aspnet_regiis -pz WebEncryptionKeys
aspnet_regiis -pc WebEncryptionKeys -exp

exported them
aspnet_regiis -px WebEncryptionKeys c:\WebEncryptionKeys_Public.xml -pri

imported them to developers and server machines
aspnet_regiis -pi "WebEncryptionKeys" "c:\WebEncryptionKeys_Public.xml "


Then in MsBuild I run
<Target Name="AfterBuild">
<Exec WorkingDirectory="$(OutputPath)"
Command="$(Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVersions\2.0@MSBuildToolsPath)aspnet_regiis.exe
-pef connectionStrings $(OutputPath) -prov HrCustomProvider" />

This works fine from my machine, the web.config gets encrypted and moved to
the server.
However, if a co-worker runs the same msBuild on her machine, we get a bad
data error when the website is hit on the server. If I deploy to the server,
she can logon to the server and encrypt and decrpyt the web.config.

I re-imported the encryption keys to her machine with the same results.

The only thing I can think of is that her machine is using a different
version of the encrtyption algorithims?

So I had her run windows update on her machine, couple things got updated
sql server mostly.

I logged on to her machine, deployment worked.
She logged on to her machine, deployment worked.

The keys were created months ago. Any idea what happened?
 
S

Steven Cheng [MSFT]

Hi Chuck,

From your description, you're encountering some problems about encypting
web.config via exportable RSA provider, correct?

According to the RSA encryption reference, I've performed some local tests,
the normal process of encrypting web.config section via RSA provider and
move to other machine is as below:

======================
Step 1

Create a machine-level RSA key container:
aspnet_regiis -pc "MyTestKeys" -exp

Step 2

Grant Read Access to the RSA Encryption Key:

aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"

Step 3

Encrypt the config file:
aspnet_regiis -pef "connectionStrings" "physical path of the web site
folder" -prov MyRSAProvider


export the container and import it back to other machine using the
following steps

Step 4

Export the machine-level RSA key container:
aspnet_regiis -px "MyTestKeys" "c:\Config-Key.xml" -pri

Step 5

Copy Config-Key.xml to c:\ on 2nd server

Step 6

Import the the machine-level RSA key container on the 2nd server:
aspnet_regiis -pi "MyTestKeys" "c:\Config-Key.xml"

Step 7

Grant Read Access to the RSA Encryption Key:
aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"

Step 8

Copy encrypted web.config to 2nd server

========================

Based on the steps you mentioned, I think most of the process you've
followed should be correct. So far I'd like to suggest you check the
following things:

1. Check your custom RSA provider setting to see whether it is correctly
copied to target machine also and set to use Machine container

========encrypt config section=======
<configProtectedData>
<providers>
<add keyContainerName="MyTestKeys"
useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to encrypt and
decrypt"
name="MyRSAProvider"

type="System.Configuration.RsaProtectedConfigurationProvider,System.Configur
ation, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
=======================


2. AS in the above steps, after you create RSA key container, you need to
use "aspnet_regiis -pa" to make sure that the certain account(which will
run your ASP.NET application) has the sufficient access permission to the
key container. Generally, when you use VS 2008/VS 2005 test server to run
ASP.NET application, you're using the logon user(which is probably the
admin), however, if you run the ASP.NET in IIS (or after move to other
server which is using another different process account), you need to make
sure the certain process account have been granted the permission.

You can check them to see whether the problem is due to some of them.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
 
C

Chuck P

Thanks Steven,
That's exactly what we've been doing for the past year.
Why it didn't work on one developers work station I don't know.
It seems to work for her now and all we did was apply some Sql Server updates.

My only guess was that the MS dll she used to apply the RSA encryption was
somehow different from the one on the server.
 
S

Steven Cheng [MSFT]

Thanks for your reply Chuck,

I also think that there might exists some environment specific things that
cause the problem as you've also followed all the necessary steps. BTW, the
assemblies for the encrypting should be embeded in the .NET framework 2.0's
built-in framework assemblies, so far .net framework 2.0 only has SP1. Is
the problem machine originally has has many patchs or update unapplied?

Anyway, I'm glad to hear that it has been working now. If you have any
further things need help, welcome to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?Q2h1Y2sgUA==?= <[email protected]>
References: <[email protected]>
Subject: RE: rsa encrtyption
Date: Tue, 6 May 2008 06:51:02 -0700
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top