3

I've been trying to write a tool to use RsaProtectedConfigurationProvider to secure the connectionStrings settings of my application. While there are many tutorials on managing this using aspnet_regiis.exe command lines, I haven't found much in terms of doing these through the ConfigurationManager API.

That said, I have a few questions on managing this programmatically:

  1. Can you specify using a machine or user level keys?
  2. Can you identify and export the key you are using?
  3. Encryption seems to require manually giving the user access to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys (source). Why?

Thank you in advance.

Jake
  • 733
  • 8
  • 23
  • The user automatically ALWAYS has access to `..\ProgramData\Microsoft\Crypto\RSA` because its the `ProgramData` directory. Besides its not required the configuration of the server was clearly not correct if the prson had to take OWNERSHIP of that folder. Furthermore...aspnet_regiis.exe can be used to encrypt the contents within the configuration file of a desktop application. There are also several related questons: http://stackoverflow.com/questions/21965/programmatically-encrypting-a-config-file-in-net?rq=1 – Security Hound Feb 06 '13 at 18:32
  • My mistake, C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys as removing explicit read access to this directory gives me: "Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Object already exists.\r\n" – Jake Feb 06 '13 at 18:38
  • @Ramhound I've taken a look at the related questions. None of them go further than describing how to set up Machine Key based authentication programmatically. User level keys and key exports aren't discussed. – Jake Feb 06 '13 at 18:44
  • It should be expected that removing explicit read access from a directory you already have explicit read access would cause an error. As for Machine Key based authentication you have to use aspnet_regiis.exe to do that which is all explain in those links in that question. – Security Hound Feb 06 '13 at 19:31
  • 1
    @Ramhound The folder is initially setup without read access. I'm just confused on why this needs to be set manually for RSA. That's untrue. Machine key based authentication is used by default programatically, which is the reason why the user needs access to the MachineKeys folder. – Jake Feb 06 '13 at 19:46

0 Answers0