Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
250 views
in Technique[技术] by (71.8m points)

c# - Encrypt and deploy app.config

I read and tested a lot to find the best practice to encrypt and deploy an app.config to different machines. In general, I would like to secure the content of the connection string from third parties and deploy the application to different machines. I will not configure each machine manually.

I know there are several ways like:

  • Aspnet_Regiis (RSAProtectedConfigurationProvider, DPAPIProtectedConfigurationProvider) bound to a machine, user or custom. RSA encryption key.

  • System.Security.Cryptography.ProtectedData bound to a machine or user.

  • Encrypt the app.config at the first execution. Which is not secure.

What do you recommend or what is the best practice to encrypt an app.config and provide the application to different machines by a setup or with copy&paste?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Step 1 Create an RSA keypair

aspnet_regiis -pc yourkey -exp

Step2 Export you key in XML file

aspnet_regiis -px yourkey keyfile.xml -pri

for each machines

Step3 Import your container

aspnet_regiis -pi yourkey keyfile.xml (see step 2)

for each machines

Step4 Edit machine.config (canonical path C:WindowsMicrosoft.NETFramework[64|32]v[Version]Config)

add in section configProtectedData this below element and set defaultProvider="YourProvider"

<add name="YourProvider"
                type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                description="Uses RsaCryptoServiceProvider to encrypt and decrypt for my infrastucture"

                keyContainerName="yourkey"

                cspProviderName=""
                useMachineContainer="true"
                useOAEP="false" />

Then you can encrypt in a machine and paste in other, remember that must give privileges to users with

aspnet_regiis -pa yourkey [DOMAINUSER]

The administrators group is already authorized.

For more info http://msdn.microsoft.com/en-us/library/yxw286t2(v=vs.90).aspx

of course this steps you can put in a powershell/batch file

Another way for encrypt a connectionStrings section by code is

 var connectionStrings = ConfigurationManager.GetSection("connectionStrings") 
 if(!section.SectionInformation.IsProtected)
     connectionStrings.SectionInformation.ProtectSection("YourProvider");

In a connected and client/server scenario I propose you a solution that I have adopted in a wide network is of not distribute connection string in app.config but of require the connection's information at a service that can be an web service or a RESTful service after the user authentication.

In step more o less is thus

  1. Authenticate user
  2. Require connection info at service with username as parameter (HTTPS protocol)
  3. a service return connection string
  4. App it connect at DB

With this solution you can choose which server the user connects if you have regional server or more server

I hope be helpful


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...