RE: rsa encrtyption
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng [MSFT])
- Date: Tue, 06 May 2008 05:58:42 GMT
Hi Chuck,
From your description, you're encountering some problems about encyptingweb.config via exportable RSA provider, correct?
According to the RSA encryption reference, I've performed some local tests,
the normal process of encrypting web.config section via RSA provider and
move to other machine is as below:
======================
Step 1
Create a machine-level RSA key container:
aspnet_regiis -pc "MyTestKeys" -exp
Step 2
Grant Read Access to the RSA Encryption Key:
aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"
Step 3
Encrypt the config file:
aspnet_regiis -pef "connectionStrings" "physical path of the web site
folder" -prov MyRSAProvider
export the container and import it back to other machine using the
following steps
Step 4
Export the machine-level RSA key container:
aspnet_regiis -px "MyTestKeys" "c:\Config-Key.xml" -pri
Step 5
Copy Config-Key.xml to c:\ on 2nd server
Step 6
Import the the machine-level RSA key container on the 2nd server:
aspnet_regiis -pi "MyTestKeys" "c:\Config-Key.xml"
Step 7
Grant Read Access to the RSA Encryption Key:
aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"
Step 8
Copy encrypted web.config to 2nd server
========================
Based on the steps you mentioned, I think most of the process you've
followed should be correct. So far I'd like to suggest you check the
following things:
1. Check your custom RSA provider setting to see whether it is correctly
copied to target machine also and set to use Machine container
========encrypt config section=======
<configProtectedData>
<providers>
<add keyContainerName="MyTestKeys"
useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to encrypt and
decrypt"
name="MyRSAProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configur
ation, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
=======================
2. AS in the above steps, after you create RSA key container, you need to
use "aspnet_regiis -pa" to make sure that the certain account(which will
run your ASP.NET application) has the sufficient access permission to the
key container. Generally, when you use VS 2008/VS 2005 test server to run
ASP.NET application, you're using the logon user(which is probably the
admin), however, if you run the ASP.NET in IIS (or after move to other
server which is using another different process account), you need to make
sure the certain process account have been granted the permission.
You can check them to see whether the problem is due to some of them.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: rsa encrtyption
thread-index: Aciu+8jtjzMaoNRFQOC625A+xhVV9A==
X-WBNR-Posting-Host: 207.46.19.197
From: =?Utf-8?B?Q2h1Y2sgUA==?= <Chuck@xxxxxxxxxxxxxxxx>
Subject: rsa encrtyption
Date: Mon, 5 May 2008 15:03:01 -0700
ions\2.0@MSBuildToolsPath)aspnet_regiis.exe
I created a key for encrypting my web.config
aspnet_regiis -pz WebEncryptionKeys
aspnet_regiis -pc WebEncryptionKeys -exp
exported them
aspnet_regiis -px WebEncryptionKeys c:\WebEncryptionKeys_Public.xml -pri
imported them to developers and server machines
aspnet_regiis -pi "WebEncryptionKeys" "c:\WebEncryptionKeys_Public.xml "
Then in MsBuild I run
<Target Name="AfterBuild">
<Exec WorkingDirectory="$(OutputPath)"
Command="$(Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVers
-pef connectionStrings $(OutputPath) -prov HrCustomProvider" />to
This works fine from my machine, the web.config gets encrypted and moved
the server.server,
However, if a co-worker runs the same msBuild on her machine, we get a bad
data error when the website is hit on the server. If I deploy to the
she can logon to the server and encrypt and decrpyt the web.config.
I re-imported the encryption keys to her machine with the same results.
The only thing I can think of is that her machine is using a different
version of the encrtyption algorithims?
So I had her run windows update on her machine, couple things got updated
sql server mostly.
I logged on to her machine, deployment worked.
She logged on to her machine, deployment worked.
The keys were created months ago. Any idea what happened?
.
- Follow-Ups:
- RE: rsa encrtyption
- From: Chuck P
- RE: rsa encrtyption
- References:
- rsa encrtyption
- From: Chuck P
- rsa encrtyption
- Prev by Date: Re: rsa encrtyption
- Next by Date: RE: rsa encrtyption
- Previous by thread: Re: rsa encrtyption
- Next by thread: RE: rsa encrtyption
- Index(es):
Relevant Pages
|
