Using the RSA Provider to Encrypt a Connection String in Web.config in a Web Farm

Post date: Mar 18, 2011 11:25:45 AM

To do this, you must create a custom RSA encryption key container and deploy the same key container on all servers in your Web farm. This won't work by default because the default RSA encryption key, "NetFrameworkConfigurationKey", is different for each computer.

To use RSA encryption in a Web farm

1. Run the following command from a command prompt to create a custom RSA encryption key:
  1. aspnet_regiis -pc "CustomKeys" -exp
  2. The -exp switch indicates that the keys are exportable.
  3. If the command is successful, you will see the following output:
  4. Creating RSA Key container...
  5. Succeeded!
  7. You can verify that a custom key container exists by looking for the file and checking timestamps in the following location:
  8. \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
  9. \MachineKeys

Create a new Web project named WebFarmRSA. Make sure that this directory is configured as a virtual directory.
Add a Web.config configuration file to this directory.
Add a sample connectionString similar to the following example:
1. 1. <connectionStrings>
  2. <add name="MyLocalSQLServer"
  3. connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated
  4. Security=SSPI;" providerName="System.Data.SqlClient"/>
  5. </connectionStrings>
Add and configure a custom protected configuration provider. To do this, add the following <configProtectedData> section to the Web.config file. Note that the key container name is set to "CustomKeys", which is the name of the key container created previously.

- 1. ...
  2. <configProtectedData>
  3. <providers>
  4. <add keyContainerName="CustomKeys"
  5. useMachineContainer="true"
  6. description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
  7. name="CustomProvider" type="System.Configuration.RsaProtec
  8. tedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral,
  9. PublicKeyToken=b03f5f7f11d50a3a" />
  10. </providers>
  11. </configProtectedData>
  12. ...

1. Run the following command from an SDK Command Prompt to encrypt the connectionStrings section using the custom RSA key:
  1. aspnet_regiis -pe "connectionStrings" -app "/WebFarmRSA" -prov "CustomProvider"
  2. If the encryption is successful, you will see the following output:
  3. Encrypting configuration section...
  4. Succeeded!

Review the Web.config file and examine the changes. The following elements are modified:

- <EncryptedData>
- <CipherData>
- <CipherValue>
  1. Your modified Web.Config file, with the connectionStrings section encrypted, should be similar to the following example:
    1. 1. ...
      2. <connectionStrings configProtectionProvider="CustomProvider">
      3. <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      4. xmlns="http://www.w3.org/2001/04/xmlenc#">
      5. <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      6. <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      7. <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
      8. <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
      9. <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      10. <KeyName>Rsa Key</KeyName>
      11. </KeyInfo>
      12. <CipherData>
      13. <CipherValue>MWOaFwkByLRrvoGYeFUPMmN7e9uwC0D7gFEeyxs3Obll710dLQvD5XaM
        WcRxg1WwtOE9nysPQRrIJUaCm0b26LGUoa/giGEfvWnslU2kig9SPICzsQAqU
        SB/inhRckWceb2xdy7TT+

- - - - EI/vfsu6itJwE2AicMCTwx5I828mP8lV4=</CipherValue>

- 1. 1. 1. </CipherData>
      2. </EncryptedKey>
      3. </KeyInfo>
      4. <CipherData>
      5. <CipherValue>IKO9jezdlJ/k1snyw5+e11cd9IVTlVfHBHSiYLgICf1EnMNd5WxVDW

- - - - Tuif7oP4Emgaoa+ewLnETSN411Gow28EKcLpbKWJDOC/9o7g503YM4cnIvkQO
        omkYlL+MzMb3Rc1FSLiM9ncKQLZi+JkRhlDIxFlsrFpKJhdNf5A0Sq2P71
        ZLI6G6QDCehHyn3kCZyBmVWJ0ueoGWXV4y</CipherValue>

- 1. 1. 1. </CipherData>
      2. </EncryptedData>
      3. </connectionStrings>
      4. ...

1. Run the following command from a .NET command prompt to export the custom RSA encryption key:
  1. aspnet_regiis -px "CustomKeys" "C:\CustomKeys.xml" -pri
  2. The -pri switch causes the private and public key to be exported. This enables both encryption and decryption. Without the pri switch, you would only be able to encrypt data with the exported key.
  3. If the command is successful, you will see the following output:
  4. Exporting RSA Keys to file...
  5. Succeeded!

Deploy the application and the encrypted Web.config file on a different server computer. Also copy the CustomKeys.xml file to a local directory on the other server, for example to the C:\ directory.

1. On the destination server, run the following command from a command prompt to import the custom RSA encryption keys:
  1. aspnet_regiis -pi "CustomKeys" "C:\CustomKeys.xml"
  2. If the command is successful, you will see the following output:
  3. Importing RSA Keys from file..
  4. Succeeded!
  6. Note After you have finished exporting and importing the RSA keys, it is important for security reasons to delete the CustomsKeys.xml file from both machines.

Grant access to the ASP.NET application identity.

1. The account used to run your Web application must be able to read the RSA key container. If you are not sure which identity your application uses, you can check this by adding the following code to a Web page:
  1. 1. using System.Security.Principal;
    2. ...
    3. protected void Page_Load(object sender, EventArgs e)
    4. {
    5. Response.Write(WindowsIdentity.GetCurrent().Name);
    6. }

- 2. By default, ASP.NET applications on Windows Server 2003 run using the NT Authority\Network Service account. The following command grants this account access to the CustomKeys store:
  3. aspnet_regiis -pa "CustomKeys" "NT Authority\Network Service"
  4. If the command runs successfully, you will see the following output.
  5. Adding ACL for access to the RSA Key container...
  6. Succeeded!
  8. You can check the ACL of the file in the following folder:
  9. \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
  11. Your RSA key container file will be the one in this folder with the most recent timestamp.

Add the following Default.aspx Web page to your application's virtual directory, and then browse to this page to verify that encryption and decryption work correctly.

- 1. <%@ Page Language="C#" %>
  2. <script runat="server">
  3. protected void Page_Load(object sender, EventArgs e)
  4. {
  5. Response.Write("Clear text connection string is: " +
  6. ConfigurationManager.ConnectionStrings
  7. ["MyLocalSQLServer"].ConnectionString);
  8. }
  9. </script>
  10. <html>
  11. <body/>
  12. </html>
  14. MyLocalSQLServer is the name of the connection string you specified previously in the Web.config file.

Additional Resources

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI