Connection String RsaProtectedConfigurationProvider Strategy

Question

Scenario: I have a WPF desktop application which will be distributed on different machines for different customers. The application has an XML configuration file 'ApplicationConfiguration.xml' This XML file contains connection strings. I need to encrypt these connection strings as the ApplicationConfiguration.xml file will be copied to the installation folder of the application along with the main application exe.

Planned Strategy : My planned strategy was to encrypt the 'ApplicationConfiguration.xml' file after the installation. ( If I could do it during the installation then all the better )

What I have tried : Going with the strategy of encrypting the xml file AFTER installation I decided to write a simple winforms application to allow the user to browse for the 'ApplicationConfiguration.xml' and simply press a button to encrypt it. When I did this, I got a new file created in the form of an xml Configuration File. 'ApplicationConfiguration.xml.Config', but the original 'ApplicationConfiguration.xml' file still remained intact with the connection strings untouched... Now.... when i copied the contents of this file into my 'ApplicationConfiguration.xml' file the program was able to function as normal ... the xml is now encrypted remember. So it appears that the .NET 4.0 framework can DECRYPT the xml file without me having to write anymore code in my WPF application.

See code below to do the encryption:

   protected void EncryptConfig(Boolean bEncrypt)
    {
        string path = SelectedFilePath();

        Configuration config = ConfigurationManager.OpenExeConfiguration(path);

        // Define the Rsa provider name. 

        const string provider = "RsaProtectedConfigurationProvider";

        // Get the section to protect. 

        ConfigurationSection connStrings = config.ConnectionStrings;

        if (connStrings != null)
        {
            if (!connStrings.SectionInformation.IsProtected)
            {
                if (!connStrings.ElementInformation.IsLocked)
                {
                    // Protect the section.             
                    connStrings.SectionInformation.ProtectSection(provider);
                    connStrings.SectionInformation.ForceSave = true;
                    config.Save(ConfigurationSaveMode.Full);
                }
            }
        }

        MessageBox.Show("Config has been encrypted");
}

I have posted example output ( Replacing the CipherData with dummy characters ) which is created by the code above

    <?xml version="1.0" encoding="utf-8"?>
 <configuration>    
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
        xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <KeyName>Rsa Key</KeyName>
                </KeyInfo>
                <CipherData>
                    <CipherValue>skfjshsadfhsadkjfsadhfsadkhfdsafhsadkfhkljdfh=</CipherValue>
                </CipherData>
            </EncryptedKey>
        </KeyInfo>
        <CipherData>
            <CipherValue>adfdsafdsafdsfdsafsadfsadfsadfsdfasfdsadfsafsadfdsf=</CipherValue>
        </CipherData>
    </EncryptedData>
</connectionStrings>

So I have a few questions on what I have done above and what I am trying to do :

1) Can the application read the encrypted connection strings without writing new code in the WPF application ? And if so, will each machine be able to read the encrypted connection strings if I do all the encryption processing on my own machine? As I have read about the 'Key' required.. and dont understand where the keyName above ( Rsa Key ) comes from.

2) Why when I save the xml file in my above code example is there a new 'xml.config' file created? Should I be manually copying the newly generated code into the original applicationConfiguration.xml file?

Just to add, when I decrypt the new xml.config file using the following code:

       connStrings.SectionInformation.UnprotectSection();
                config.Save(ConfigurationSaveMode.Full);

.. I get the following output ! WHY! :)

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
<connectionStrings>
    <clear />
    <add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
        providerName="System.Data.SqlClient" />
</connectionStrings>
    </configuration>

I would have expected to get my original 3 connection strings... no?

Basically I am looking for the correct method to proceed with encrypting an xml file of connection strings and allow the application to be deployed and read on different machines.

Any help appreciated.

I remember reading about this but discarded the idea myself. When encrypting the configuration windows stores the generated key in a safe place within the registry, HKCU I believe. Thus, this must be done on each machine and / or user and cannot be done before shipping. — Stephan B, Dec 20 '11 at 17:07

score 0 · Answer 1 · edited Oct 11 '18 at 14:17

• Rename App.config file to web.config • Run Command prompt as admin:

• For encrypt:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" your project location within quotes and -prov "DataProtectionConfigurationProvider"

Example:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" "D:\location\location1\location2\location3\location4" -prov "DataProtectionConfigurationProvider"

• For Decryption:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" your project location within quotes

Example:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" "D:\location\location1\location2\location3\location4"

• For error: add this in Configuration enter image description here

(xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0")

• Finally Rename web.config to App.Config

score 0 · Accepted Answer · edited May 23 '17 at 12:06

0

See .Net Encryption - Dataprotection API is no help here, you would need to send it unencrypted to have it locally encrypted to the machine / user key.

At best you can use any of the available encryption classes to encrypt it to a key stored within your app and hope nobody disassembles your software.

edited May 23 '17 at 12:06

Community

1
1

answered Dec 20 '11 at 17:21

Stephan B

3,671
20
33

Hi guys, ok so If I install the application on each machine as normal ... then run my encryption program to do the encryption stuff on each machine individually, that would do the job? Is that what you mean? thanks – Kev Dec 20 '11 at 20:26
@Kev In fact I'd say that it is the recommended approach. It is called something like 'per installation' or 'encryption during install'. Using DPAPI, thats the safest way. Typical way set up programs work is, they override the 'Before or After Install event' (forgive incorrect names) in an msi project and program the call the encryptor there. So when the msi file runs, the event gets triggerred and the config entries are encrypted during the installation process. There was an article on codeproject you might find useful. Sorry I dont have the link handy. – gmaran23 Sep 06 '12 at 12:42

Connection String RsaProtectedConfigurationProvider Strategy

2 Answers2