Saturday, February 16, 2008

Securing Configurations

Have you ever wanted to provide a level of protection to your values in the configuration files? aspnet_regiis will help you in encrypting the configuration section(s) in your config files. The executable resides in: "<windows_root>\Microsoft.NET\Framework\<framework_version>" and it was common to be used in installing ASP.NET on IIS. However, you can use it as well in encrypting/decrypting the configuration files.

Here is the command line used for encrypting a section in the web.config of SecureWebProj application:

aspnet_regiis.exe -pe connectionStrings -app /SecureWebProj

-pe attribute is used to tell the executable to encrypt the specified section. You can also use -pd attribute instead of -pe if you want to restore or decrypt the section to its original values. -app attribute is for specifying the application virtual path.

After encrypting the connectionStrings section, the web.config will look like that:

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>j2E3lO/bMp8ljiDFKhRJu33zVD0mrXD7k5WV4nQ5uNJEav7cKcjhtO1ztCfxJw7ZE5uNdj+THVwJroZBoPEhtPAISPH75Zq
5C1G+5WOLcBwBBzbcp7C6i6U7+/IWmThTNFRAEdQp/lHryDkapep4MNUCGNZlcVLlmX0n/bqZEoE=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>D/Z9ZyH7P+9e3kDi5gLevpdqbjwia0uQ/cOB0gHVXc8=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20


Sometimes you just need to map the operation direct to the application physical path. This would be useful if you are using ASP.NET Development Server instead of IIS.
aspnet_regiis.exe -pef connectionStrings E:\Projects\SecureWebProj

Encrypting the configuration sections won't prevent you to access the configuration values from your code. If you have already completed the project and you need to encrypt some sections inside the configuration files, you don't have to modify your application code anymore. The code will still run properly and won't be affected by the encryption changes.

The nice part is that you can encrypt the web.config sections even within your code. The following sample encrypts the connectionStrings section in the web.config of SecureWebProj:

Configuration cfg = WebConfigurationManager.OpenWebConfiguration("/SecureWebProj");
ConnectionStringsSection section = (ConnectionStringsSection)(cfg.GetSection("connectionStrings"));
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
cfg.Save();
1
2
3
4


You may ask: This is an encryption operation, so where the encryption keys? Actually, each .NET installation will create by default a new key container in your machine formally called: NetFrameworkConfiguarationKey. This will contains the needed keys for the providers to work. However, you can create a new key container using aspnet_regiis as well.
aspnet_regiis.exe -pc SecureKeyContainerName -exp

You may find more about securing your key containers in this MSDN entry: Securing ASP.NET Configuration. In the later command line, -exp attribute means that the key container is exportable. You can export this container to XML file and use it in any other machine. This would be useful if your application is running in a web farm and you want to share the encrypted configurations across the farm machines.

DZone

0 comments: