ASPNET_REGIIS Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The parameter is incorrect

Question

When trying to decrypt an old application's web config using ASPNET_REGIIS -pdf I get the error, 'Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The parameter is incorrect.'

I am able to encrypt and decrypt the web config using ASPNET_REGIIS -pef/-pdf when pulled from version control where the web.config is stored unencrypted. I notice that when I encrypt it myself, the EncryptionMethod Algorithm="" is different.

Is there a way to set the algorithm from the command line? Is that even the issue here? I assumed ASPNET_REGIIS would read the link and decryption would proceed automatically and setting the algorithm manually would not be needed. So, how can I resolve this error? What is causing this error?

Answer 1

This can be related to the allowed encryption ciphers on your server. It can change after upgrading the windows version, with a registry key or with programs like IISCrypto

If the web.config was encrypted using an algorithm that now is not allowed it can fail to decrypt it

My workaround was to use the "DataProtectionConfigurationProvider" encryption provider instead of the "RsaProtectedConfigurationProvider"

The main difference is that if you use the RsaProtectedConfigurationProvider you can copy the local machine private key and use it on a web farm

So when you encrypt with aspnet_regiis -pe pass this extra parameter: -prov "DataProtectionConfigurationProvider"

That providers are located on the server machine.config