Why to use RSA for DPAPI web farm encryption?

Question

We are about to use DPAPI to encrypt the connection string in our ASP.NET web config file. But I am confused between using RSA or DPAPI for our web cluster (farm). The following MSDN links clearly say that we need to use RSA provider if we want to deploy ASP.NET apps on a web farm.

http://msdn.microsoft.com/en-us/library/ms998280.aspx

http://msdn.microsoft.com/en-us/library/ms998283.aspx

But I do not understand what the issue could be with using DPAPI across all machines in my web farm. I essentially can perform the same operation on all servers and create a new "encrpyted connection string" on each machine. Why would this not work?

What exactly are you protecting? Who needs to have access to it (ie is it per machine or shared across machines or...)? — Eric Fleischman, Sep 20 '12 at 15:12
I am trying to protect the connection string that contains the database password. Only the web application needs to access it. I could not understand why MS mandates the use of RSA token over a web farm. I fail to understand why DPAPI would not work. The key would be different on each node in the farm, but it should work. — Narendra Naidu, Sep 21 '12 at 06:25

score 2 · Answer 1 · answered Mar 27 '13 at 15:46

2

The articles state that it is preferable, but it is not a mandate. If you have several machines in your farm, then it is easier to encrypt one file and deploy it to several times rather than going to each machine and "touching" it.

answered Mar 27 '13 at 15:46

beeen

378
1
2
14

score 2 · Answer 2 · answered Jul 18 '13 at 07:00

The reason why it won't work is because the domain account used in your web farm would be logged on onto multiple computers.

"For DPAPI to work correctly when it uses roaming profiles, the domain user must only be logged on to a single computer in the domain. If the user wants to log on to a different computer that is in the domain, the user must log off the first computer before the user logs on to the second computer. If the user is logged on to multiple computers at the same time, it is likely that DPAPI will not be able to decrypt existing encrypted data correctly."

http://support.microsoft.com/kb/309408#6

I'm currently trying to work around this issue somehow, and would love some ideas of how you solved it!

Regards

score 0 · Answer 3 · answered Apr 05 '13 at 04:52

0

By using RSAProtectedConfigurationProvider you can encrypt your configuration on one machine using a custom RSA Key Container & export these keys. Then, you can import the container to each server you deploy your application. MSDN

answered Apr 05 '13 at 04:52

Zo Has

12,599
22
87
149

Why to use RSA for DPAPI web farm encryption?

3 Answers3