开发者

Protecting connection strings during dev

问答 作者:

We need to protect connection strings during development. On servers we use DPAPI which works fine. DPAPI is not an option during dev since the connection strings will need to be decrypted on many machines.

Some of the user names/password used for dev are rather sensitive and we don't want them floating around. It's fine for all the devs to be able to decrypt them, just want to ensure that if someone else gets their hands on the dev config files that person can't decrypt the connection strings. Using all service accounts instead of sensitive username/password is not an option due to external constraints.

开发者_如何学JAVAMy first inclination is to use the RSA provider for encrypting and installing the cert on the dev machines.

So my questions are;

1) How do you approach this issue?

2) If you take the RSA approach is there more up-to-date documentation than this

Thanks

Well after more research we went with the RSA approach. Found some more updated documentation here. If you are going down this road make sure you read everything RSA related in that link. Below are the steps we used if anyone is interested...

--FIRST TIME ONLY

-create the key container, making it exportable

aspnet_regiis -pc "MyKeys" -exp

-add this section to config file

<configProtectedData>
  <providers>
    <add name="RsaProvider"
         type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,&#xD;&#xA;                    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,&#xD;&#xA;                    processorArchitecture=MSIL"


         keyContainerName="MyKeys"
         useMachineContainer="true" />
  </providers>
</configProtectedData>

-encrypt the connection strings

aspnet_regiis -pef "connectionStrings" "C:\Working\MyApplication" -prov RsaProvider

-give out the config file

-to decrypt

aspnet_regiis -pdf "connectionStrings" "C:\Working\MyApplication"

-export keys (will create keys.xml)

aspnet_regiis -pc "MyKeys" -exp

--On some other machine

-save keys.xml somewhere

-import the keys. make sure the name (e.g. MyKeys) is the same

aspnet_regiis -pi "MyKeys" keys.xml

-delete keys.xml!!!!!!!!!!!!!!

-give permissions to the service account if running as part of a webapp

e.g. aspnet_regiis -pa "PcscDev" "ASPNET"

继续阅读:.netconnection-stringdpapiencryptionrsa

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9