Re: DPAPI in a Load Balanced Environment
From: Aaron Margosis [MS] (aaron.margosis.ms_at_online.microsoft.com)
Date: 02/27/04
- Next message: Aaron Margosis [MS]: "Re: Who am I impersonating?"
- Previous message: Aaron Margosis [MS]: "Re: Access denied"
- In reply to: Ron Ifferte: "DPAPI in a Load Balanced Environment"
- Next in thread: Alek Davis: "Re: DPAPI in a Load Balanced Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Feb 2004 02:24:25 -0500
Each server will have its own machine key for encrypting/decrypting data
using DPAPI. Data that is DPAPI-encrypted on one machine cannot be
decrypted on another machine.
>From Improving Web Application Security: Threats and Countermeaures
http://msdn.microsoft.com/library/en-us/secmod/html/secmod92.asp
Web Farm Considerations...
DPAPI
To encrypt data, developers sometimes use DPAPI. If you use DPAPI with the
machine key to store secrets, the encrypted string is specific to a given
computer and you cannot copy the encrypted data across computers in a Web
farm or cluster.
If you use DPAPI with a user key, you can decrypt the data on any computer
with a roaming user profile. However, this is not recommended because the
data can be decrypted by any machine on the network that can execute code
using the account which encrypted the data.
DPAPI is ideally suited to storing configuration secrets, for example,
database connection strings, that live on the Web server. Other encryption
techniques should be used when the encrypted data is stored on a remote
server, for example, in a database. For more information about storing
encrypted data in the database, see the module, "Building Secure Data
Access."
"Ron Ifferte" <rifferte@mac.com> wrote in message
news:51d3cb7.0402261315.4f50b45c@posting.google.com...
> Has anyone used the DPAPI to store database encryption keys and other
> data in a load balanced environment? Would multiple web servers be
> able to decrypt data if they were originally encrypted by another web
> server?
>
> My app works fine on a single box - but I am concerned about putting
> this into a load balanced production environment.
>
> What do I have to do to get this to work?
- Next message: Aaron Margosis [MS]: "Re: Who am I impersonating?"
- Previous message: Aaron Margosis [MS]: "Re: Access denied"
- In reply to: Ron Ifferte: "DPAPI in a Load Balanced Environment"
- Next in thread: Alek Davis: "Re: DPAPI in a Load Balanced Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
