开发者

Encrypting Web.config and installing

I am new to the encryption process and have tried unsuccessfully to install an encrypted web.config file onto a hosting companies server. I am using Microsoft Visual Web Developer 2010 Express.

I have followed the steps located in Walkthrough: Encrypting Configuration Information Using Protected several times.

Please Note regarding the walkthrough, I do not have any machineKeys in my web.config file, so I skipped that encryption step.

When I Ran the aspnet_regiis -pef connectionStrings "c:\Users......\mywebsite.com"

Return is: Encrypting configuration section ... Succeeded!

2) I then FTP my web.config file and the site gets the below error: Note: The Line 8 is highlighted)

Server Error in '/' Application.

Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Bad Data.

Source Error:

Line 6: Line 7: Line 8: Line 10:

Source File: C:\HostingSpaces*username**mywebsite.com*\wwwroot\web.config Line: 8


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1


I know there must be some piece missing but I have searched and have not found anything. I emailed the hosting company to find out if they need to do anything regarding encrypting web sites and they have not responded yet.

What I would expect is that there is a key that resides elsewhere which takes the encrypted value and decrypts it using an algorhythm. If this is so, where would I get that key and where would it go.

Any help is greatly appr开发者_JAVA百科eciated and somewhat surprised I cannot find any issues similar to this on the web.

Thanks Much.


I don't have a direct answer to your question, but here's a simple technique to encrypt web.config. It may not be the best way, but it might be enough to get you started. This technique encrypts web.config during application start-up.

VERY IMPORTANT: make sure this code only runs in production. If you run it during development, you'll encrypt your source web.config and you won't be able to get it back.

   private static void EncryptConfig() {
        System.Configuration.Configuration config = WebConfigurationManager.OpenWebConfiguration(HostingEnvironment.ApplicationVirtualPath);

        foreach (string sectionName in new[] { "connectionStrings", "appSettings" }) {
            ConfigurationSection section = config.GetSection(sectionName);
            if (!section.SectionInformation.IsProtected) {
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
            }
        }

        config.Save();
    }

You can then call this method in Application_Start()

protected void Application_Start() {
            if (IsProduction) {
                EncryptConfig();
            }
}

This solution isn't perfect because when you deploy your web.config to your production server, it won't be encrypted. Because the encryption happens during runtime, it will only be encrypted once your application starts. When the first request comes in, web.config will be encrypted. When the second request comes in, your app will need to restart because asp.net will detect that web.config was changed. And then from that point on, your app will operate normally with an encrypted web.config. The benefit of this technique is that the encryption happens automatically. Whenever you deploy a new web.config file, it will automatically be encrypted during start-up.

Important: Make sure that EncryptConfig() only runs in production so that you don't encrypt your source web.config.


Jonny O - Thanks. This worked so easily. CP

I added the global.asax file and here are the code snippets that went into this file (global.asax.cs).

Granted much of this is duplicated from above, but it is my entire solution. Thanks again.

using System.Web.Configuration;
using System.Configuration;
using System.Web.Hosting;

    protected void Application_Start(object sender, EventArgs e)
    {
        //Test to see if this app is being started on the development machine (e.g. in the debugger)
        //This code will encript web.config the first time this program runs.
        //Therefore, it is important to have a backup copy of the non-encrypted web.config as this
        //code below will encrypt it, which is what we want to happen on the production server.            
        if (! System.Diagnostics.Debugger.IsAttached )
        {
            EncryptConfig();  //See below
        }
    }



    /// <summary>
    /// This technique of encrypting the web.config file was learned from this forum post:
    /// http://stackoverflow.com/questions/5602630/encrypting-web-config-and-installing
    /// </summary>
    private static void EncryptConfig()
    {
        System.Configuration.Configuration config = WebConfigurationManager.OpenWebConfiguration(HostingEnvironment.ApplicationVirtualPath);

        foreach (string sectionName in new[] { "connectionStrings", "appSettings" })
        {
            ConfigurationSection section = config.GetSection(sectionName);
            if (!section.SectionInformation.IsProtected)
            {
                section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
            }
        }

        config.Save();
    }
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜