Re: DPAPI in a Load Balanced Environment

From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 02/28/04


Date: Fri, 27 Feb 2004 17:56:19 -0800

Ron,

A reasonable (security-wise) approach for your situation would be to have a
user-defined encryption key (either static or derived from passphrase,
initialization vector (iv), etc) which should be used by all servers on your
farm. What you need to do is at application installation (on each server)
define this key and store it in secure form, so that only your application
can retrieve it. If your application is a Windows service (or some Windows
app which can run with loaded user profile), you can encrypt this key (and
store in the registry or app.config file) using DPAPI with user store of the
account under which the app will run. This, of course assumes that your app
and the app used to encrypt key run under the same user account. There may
be some logistical challenges here, but it is feasible. You will also have
to store the key (or key characteristics, such as iv, etc) somewhere to make
sure you can redefine it on another system or if your original server fails
or if you decide to run the app under a different account.

If your app is an ASP.NET app (or some app which cannot run with loaded user
profile, such as Web service), you can only use DPAPI with machine key. You
can use the same logic/process, but it is not secure, because anyone who
gets access to the server will be able to decrypt data (in the previous
case, the user would need to know the password of the user account, which is
unlikely). While some may argue that their servers are unhackable, life
proves that even most guarded systems can be broken into (due to viruses,
app vulnerabilities, admin/user mistakes, etc). Anyway, if you feel this is
acceptable risk (and it may be depending on the value of your data, support
infrastructure, etc), go ahead and use it; otherwise, it will be a bit
tricky. Check this article; it may offer you some ideas and relevant
references: "Safeguard Database Connection Strings and Other Sensitive
Settings in Your Code"
(http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx
).

In any case, under no circumstances should you encrypt database data using
DPAPI (with either user or machine store). If your server gets rebuilt (or
user is changed), you will lose data and there is nothing you will be able
to do to restore it since you will not know how to generate the same key.

Alek

"Ron Ifferte" <rifferte@mac.com> wrote in message
news:51d3cb7.0402261315.4f50b45c@posting.google.com...
> Has anyone used the DPAPI to store database encryption keys and other
> data in a load balanced environment? Would multiple web servers be
> able to decrypt data if they were originally encrypted by another web
> server?
>
> My app works fine on a single box - but I am concerned about putting
> this into a load balanced production environment.
>
> What do I have to do to get this to work?



Relevant Pages

  • client app WebDav/ADO pointers
    ... access a Sharepoint 2003 server. ... the app will store new documents by ... letting the user choose where to store them and entering all meta data ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Sending encryption keys as cookies
    ... data is to not store the key anywhere on the server. ... If you can set up an https server, then you can talk about secure. ... including the encryption key is then already ... encrypted and can't be revealed by capturing packets like when using http. ...
    (comp.lang.php)
  • Retriving and sending exe file in SQL
    ... i would like to make a small autoupdate feature for my app... ... i would make one app to store myapp.exe file in sql server... ...
    (microsoft.public.vb.database.ado)
  • Re: Selling the boss on a "publish to the web" Access app?
    ... Go to www.officelive.com, this free small business edition is only available to North America customers right now however. ... Are the users app specific where certains users can log into that app or have rights to it but not others? ... The person coming in the door that wants to sell new carpets or new desks or a new paint job on the walls or even a new computer has to justify that they're going to save the company money. ... I suppose you could bring in a whole bunch of IT people, and go through all enormous expenses and dangers of security of setting up a web host server. ...
    (comp.databases.ms-access)
  • Re: Homegrown synchronization
    ... to check for update files in the Import DropBox for the server. ... similar to the import code used to update a remote backend). ... code to close the "sync" app. ... synch app, but only one at a time would be able to do synchs. ...
    (microsoft.public.access.replication)