1

I have ran in my computer 

aspnet_regiis -pe "connectionStrings" -app "/MyApp" -site "MySite"

And it created an encripted < connectionStrings > xml element in web config

Now every time that I delpoy my app to a new environment
web.config is being "web transformed" into a new web.config and then deployed.
I understand that the encryption is unique per machine. I tried to copy the encrypted value and it didnt work.

  1. Do I need to run "aspnet_regiis -pe... " command evey time I deploy and on every machine?
    Is there a better practice?
  2. what/where is the unique key in my computer that my machine uses in the encription?
    Do I need to guard it for potential attacks?
    thanks.
Bick
  • 17,833
  • 52
  • 146
  • 251

1 Answers1

1

1) Yes, I would recommend deploying the unencrypted web.config file to the new server, then running your encryption command as part of the "deployment process".

2) The OS and Framework should be guarding the default encryption key for you already. You can learn more about the internals of all this at the following link:

http://msdn.microsoft.com/en-us/library/dtkwfdky%28v=vs.100%29.aspx

"This walkthrough uses the default RsaProtectedConfigurationProvider provider that is specified in the Machine.config file and named "RsaProtectedConfigurationProvider". The RSA key container that is used by the default RsaProtectedConfigurationProvider provider is named "NetFrameworkConfigurationKey"."

Keep in mind that the key that is used to encrypt/decrypt the web.config file is not the machine key (it is separate). However if you're deploying to a web farm you'll want to also ensure that the machine keys are consistent or you'll see strange errors arise.

mikey
  • 5,090
  • 3
  • 24
  • 27
  • 1. Thanks. I thought of the possibility to use one signed key in my depoloyment server. then sign all of the deployed environments with it and publish the key with the binaries. – Bick Jan 30 '13 at 20:36
  • 2. who will the process that runs the encryption command be? – Bick Jan 30 '13 at 20:37
  • Not sure I follow on 1. Each server will likely have a different key (and that is fine). You just copy your web application complete with web.config (unencrypted) to the server(s) and set it up in IIS, then run the aspnet_regiis command to encrypt any sections of the web.config you like. You would run it on each server, it is just another step in the process of deploying the application. On 2.. You need to run the encryption command with an identity that can read the key, so administrator to start. The link above also describes how to grant read access to other identities. – mikey Jan 31 '13 at 03:03
  • This thread has some more discussion of your issue, it sounds to me like what you're most interested in is "web.config encryption in a web farm". http://stackoverflow.com/questions/7998666/asp-net-encryption-aspnet-regiis-farm – mikey Jan 31 '13 at 03:05
  • In a web farm you'll also probably want your machine keys to match, but that is sort of a different topic because machine key is not used for encryption/decryption of web.config. It is used for other ASP.NET functions though. – mikey Jan 31 '13 at 03:10
  • As a developer I had to make my own encryption for connectionStrings. And I very much like the added MS support for encryption. I don't like mikey's answer of placing the unencrypted config file first and then encrypting. That may be fine on a brand new server. But we are trying to protect sensitive data; if a server is compromised and we would like to make changes to the config file as part of our discovery/recovery process. We basically have to expose our system even more. I'm not sure I would be comfortable doing that. Currently, I encrypt first and the deploy. – Arturo Hernandez Apr 24 '13 at 15:42
  • @ArturoHernandez The server needs to decrypt your custom-encrypted connection string in order to connect to the database at runtime, right? How does it do so, i.e. what sort of key does it use for decryption and where is it stored? – mikey Apr 24 '13 at 17:40
  • @mikey I did find more options to the aspnet_regiis -p... command line that allows you extract a public key and encrypt it somewhere else. This is better than what I had to concoct back when there was no encryption support. – Arturo Hernandez May 07 '13 at 14:49
  • @ArturoHernandez That is excellent, I was not aware such a flag existed. Good to know! – mikey May 07 '13 at 14:51
  • Can I modify a Web.config with encrypted Connection String? (e.g. adding more sections, appSettings). Will the encrypted Connection String still work? Or do we need to add the clear-text connectionString everytime we modify the the Web.Config. Thanks – Carlos Magno Rosa Jan 26 '16 at 18:57
  • 1
    @CarlosMagnoRosa - yes you should be able to do that. So long as you don't touch the encrypted portion of the file you should be OK. – mikey Feb 01 '16 at 16:55