Encrypting externally stored App blocks with exportable Key Provider

Question

I have been trying for quite a while to figure out how to encrypt Application blocks that are stored in an external file called dev_entlib.config

I can see in entlib (4.1) that it's possible to use the default protection providers to encrypt the blocks but, I really need to deploy this Application on different servers and thus I would need to export the keyProvider used to encrypt the application blocks to those servers.

What I've done so far is to add a custom Protected Configuration Provider to the machine.config file in the .net v2.0* whatever folder (and all the target servers)

the custom provider is like this

<add name="MyCompanyProvider" 
    type="System.Configuration.RsaProtectedConfigurationProvider, 
          System.Configuration, Version=2.0.0.0, Culture=neutral, 
          PublicKeyToken=b03f5f7f11d50a3a,
         processorArchitecture=MSIL"
    keyContainerName="MyKey" 
    useMachineContainer="true" />

that sits nicely beside the other default providers and even has design time support in the Entlib config tool. I then choose the protection provider for each block I want to encrypt.

Looking at the dev_entlib.config, shows that indeed the block was encrypted with my provider. My provider uses my key container. Therefore the block should be encrypted using my key container. I then Export "MyKey" to an xml file using:

c:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -px "MyKey" "C:\keys.xml" -pri
Exporting RSA Keys to file...
Succeeded!

This key file is then copied to my sysTest server where it is imported and has access rights granted to "NT Authority\Network Services" and "ASPNET"

I then copy over my encrypted web.config and dev_entlib.config and try to display the connection strings in a small page which uses .net ConfigurationManager to get the ConnectionStrings collection and display them on the page. This page is running under IIS and the identity of the process is "NT Authority\Network Services".

The problem is, that it doesn't work! There are bad data errors or "failed to decrypt using provider MyCompanyProvider".

This approach seems to make logical sense to me but it still fails.

Does anyone have another suggestions?

Answer 1

Encrypt external Enterprise Library configuration files with your custom RSA key container using the Enterprise Library Configuration tool.

• EntLib (4.1) uses the default protection provider RsaProtectedConfigurationProvider. But it is possible to remove this provider within your configuration file and replace it with your own with the same name which can then point to your custom key provider: "MyKey".
• You should add this configProtectedData section in the configuration file that has the region that you want to encrypt (e.g. your external file: *dev_entlib.config*). You do not need to modify the machine.config file at all.
• You can then choose the RsaProtectedConfigurationProvider from the Enterprise Library Configuration application for the Data Access Application Block ProtectionProvider.
• You have to open this EntLibConfig.exe with Run as administrator if you are on Vista, Windows 7, Windows 2008.
  • Otherwise you will get an error:
    • Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Object already exists.
• You can then copy this encrypted *dev_entlib.config* along with the web.config configuration file to your sysTest server. Open up the web.config file with Enterprise Library Configuration tool on that sysTest server should not get the error:
  • Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Bad Data.

web.config

This file is pretty much empty and just points to the external Data Configuration file:

<!-- web.config -->
<configuration>
  <configSections>
    <section name="enterpriseLibrary.ConfigurationSource" type="Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ConfigurationSourceSection, Microsoft.Practices.EnterpriseLibrary.Common, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <enterpriseLibrary.ConfigurationSource selectedSource="External Data Configuration File Source">
    <sources>
      <add name="External Data Configuration File Source" type="Microsoft.Practices.EnterpriseLibrary.Common.Configuration.FileConfigurationSource, Microsoft.Practices.EnterpriseLibrary.Common, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
        filePath="dev_entlib.config" />
    </sources>
  </enterpriseLibrary.ConfigurationSource>
</configuration>

dev_entlib.config

This file has the connection strings and the protection provider with which it should be encrypted with:

<!-- dev_entlib.config -->
<configuration>
    <configSections>
        <section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
 </configSections>
    <dataConfiguration defaultDatabase="MyConnectionStringName" />
 <connectionStrings>
  <add name="cnHnicMediaLibrary" connectionString="Server=MyDbServer; Database=MyDbName; Integrated Security=SSPI"
   providerName="System.Data.SqlClient" />
 </connectionStrings>
  <configProtectedData>
    <providers>
      <remove name="RsaProtectedConfigurationProvider" />
      <add    name="RsaProtectedConfigurationProvider"
        keyContainerName="MyKey"
        useMachineContainer="true"
        description="Uses our own encryption key container so that it will work in a Web Farm setting. We need to trick Enterprise Library, which wants to use the default RsaCryptoServiceProvider to encrypt and decrypt, by replacing this default provider with our own while this configuration is processed!"
        type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
  </configProtectedData>
</configuration>

Based on:

• http://entlib.codeplex.com/discussions/237555 (AvanadeSupport, Dec 8 2010 at 11:37 PM)
• http://entlib.codeplex.com/discussions/10300 (shane2007, Jul 9 2007 at 1:15 PM)
• http://entlib.codeplex.com/discussions/213998 (need to change the version back to 2.0.0.0)

I hope that this described the error message that you had and how to fix it.

Answer 2

It doesn't seem to be possible yet. My solution is to just encrypt the blocks as part of the web.config and then copy and paste those blocks into an external entLib.config file. These block should then be able to be decrypted on the target servers with the exported key.