How do I select/enforce AES encryption with aspnet_regiis to encrypt web.config values?

Question

I need to encrypt part of our web.config for our ASP.Net 4.0 project, but we are required to use AES and the default appears to be Triple DES. How can I tell it to use AES encryption instead?

In the command prompt I do the following commands:

aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp
aspnet_regiis -pe "connectionStrings" -app "/<myapp>"

I figure I set the encryption method to AES by selecting the appropriate CSP (-csp) but I haven't been able to find or figure out the name of the right one.

And one of the lines in the encrypted web.config is:

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

score 1 · Accepted Answer · answered Jan 08 '12 at 11:33

1

The provider is selected using the -prov parameter to aspnet_regiis. The providers are registered in the web/machine.config using the configProtectedData section. In order to register AES you would use something like this:

<configProtectedData>
    <providers>
        <add name="AesProvider"
            type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider"
            description="Uses an AES session key to encrypt and decrypt"
            keyContainerName="iisConfigurationKey" cspProviderName=""
            useOAEP="false" useMachineContainer="true"
            sessionKey="aSessionKeyGoesHere" />
    </providers>
</configProtectedData>

On my machine RSA and DPAPI are the preconfigured algorithms in machine.config.

Provided that the AES provider is registered you should be able to encrypt a config section using:

aspnet_regiis -pe "connectionStrings" -app "/<myapp>" -prov "AesProvider"

answered Jan 08 '12 at 11:33

PHeiberg

29,411
6
59
81

Re: sessionKey="aSessionKeyGoesHere": Is this related to an internet request session? What would I set this to or how would I calculate or derive an appropriate value? – Jan 08 '12 at 16:09
Also, I have tried implementing this in both the web.config in my app and the machine.config and I always get this error: Encrypting configuration section... Could not load type 'Microsoft.ApplicationHost.AesProtectedConfigurationProvider' from assembly 'System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'. Failed! – Jan 08 '12 at 16:23
The sessionKey is the AES encryption key to use. Probably the AesProtectedConfigurationProvider has been removed from the available encryption providers at some point in the framework history and now only the RSA and DPAPI are part of the core. I've been unable to locate the source for the Aes provider, other than that it's referenced in some old encryption samples and machine.config samples. – PHeiberg Jan 09 '12 at 08:28

How do I select/enforce AES encryption with aspnet_regiis to encrypt web.config values?

1 Answers1

Linked