How to encrypt web.config with AES instead of 3DES

Question

I am currently attempting to use aspnet_regiis to encrypt the web.config file. While it uses RSA to encrypt the key, the encryption methodology for encrypting the web.config file is 3DES, which NIST no longer recommends using. So, does anyone know how to encrypt the web.config file with AES? Bonus, if it is possible, how would I set the key size (e.g., 128, 256 ... 2048 bit)?

I reviewed the following links and their attendant links without success:

Change Microsoft Config File Encryption Method From TripleDES

RSACryptoServiceProvider and Web.config encryption

https://msdn.microsoft.com/en-us/library/68ze1hb2.aspx – NnN Feb 05 '18 at 06:47 — NnN, Feb 05 '18 at 06:47

score 1 · Accepted Answer · edited Jun 20 '20 at 09:12

1

By default, asp.net offer two providers:

RSAProtectedConfigurationProvider

DPAPIProtectedConfigurationProvider

If you can't use another one, you must implement your custom provider.

And after that, register your provider:

<providers>
  <add keyContainerName="CustomKeys" 
           useMachineContainer="true"
           description="My custom provider"
           name="CustomProvider" type="MyApp.MyCustomProtectedConfigurationProvider" />
  </providers>

And use it:

aspnet_regiis -pe "connectionStrings" -app "/MyApp" -prov "CustomProvider"

This link have an example with how to implement a Configuration Provider.

edited Jun 20 '20 at 09:12

Community

1
1

answered Feb 05 '18 at 15:01

KelvynRisso

82
6

Is it possible to create a KeyContainer for AES keys? IN this case, I created a custom provider called AesProtectedConfigurationProvider. The discussion by Microsoft assumes that you use the RSAProtectedConfigurationProvider. – J Weezy Feb 14 '18 at 05:12
Have you tried to create a KeyContainer after specified your customProvider? `aspnet_regiis -pc "YourKey" –exp` , and after that, add an attribute to your provider declaration keyContainerName="YourKey". – KelvynRisso Feb 14 '18 at 12:01
I did, and I updated the KeyContainer reference to 'YourKey', instead of the file path, within the config file. But when I try to encrypt the web.config, I get the following error: Could not find file 'C:\Windows\System32\YourKey' The two commands that I used to create the KeyContainer are as follows: 1.) Create KeyContainer: aspnet_regiis -pc "YourKey" -exp 2.) Register user: aspnet_regiis -pa "YourKey" "DOMAIN\UserAcct" I added both the application identity account as well as my own account via the -pa command without success. Am I missing something or did I do something wrong? – J Weezy Feb 16 '18 at 04:56
@JWeezy, Maybe because you are trying to grant access to an user account and create KeyContainer as a machine level. Try to add `-pku` to create and grant command to specify a user level container. – KelvynRisso Feb 16 '18 at 10:56
That did not work - I'm still getting the same error. I did set the useMachineContainer="false" since I tried creating a user-level container. Is it possible to create a key container for my AES protect configuration provider? Note: I am running the CMD window in administrator mode. – J Weezy Feb 20 '18 at 06:54

How to encrypt web.config with AES instead of 3DES

1 Answers1

Linked