How to encrypt web.config connection string

0
votes

I am trying to encrypt connection string in my web.config. I have followed the guidelines by microsoft, but it doesn't work. http://msdn.microsoft.com/en-us/library/ff650304.aspx#paght000006_step3

After I got "encrypting configuration sections succeeded!" in command prompt. I deleted "connectionStrings" section from my web.config and kept the newly added "connectionStrings" with encrypted data.

I had two MSSQL database connection strings for Entity Framework, but I am getting an error on runtime compile saying "The specified named connection is either not found in the configuration, not intended to be used with the EntityClient provider, or not valid."

When you open up the model edmx file, and update model from database. Visual Studio displays error saying "Failed to decrypt using provider RSAProtectedConfigurationProvider....The RSA key container could not be opened."

    <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
      <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
        xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
              <KeyName>Rsa Key</KeyName>
            </KeyInfo>
            <CipherData>
              <CipherValue>..........</CipherValue>
            </CipherData>
          </EncryptedKey>
        </KeyInfo>
        <CipherData>
          <CipherValue>........</CipherValue>
        </CipherData>
      </EncryptedData>
    </connectionStrings>

-------- solved, answer below. ------

3
asp.netiis-7web-configconnection-string

3 Answers

2
votes

It looks like the account which created the key is different from the account running the app. Have you ensured the appropriate accounts have access to the key store? From that article you sent...

To grant access to the ASP.NET application identity a.If you are not sure which identity to use, check the identity from a Web page by using the following code: 

using System.Security.Principal;

protected void Page_Load(object sender, EventArgs e)
{
    Response.Write(WindowsIdentity.GetCurrent().Name);
}

By default, ASP.NET applications on Windows Server 2003 run using the NT Authority\Network Service account. Open a .NET command prompt, and use the following command to give this account access to the NetFrameworkConfigurationKey store: aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"

If the command runs successfully you will see the following output: Adding ACL for access to the RSA Key container... Succeeded!

You can check the ACL of the file in the following folder:

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Your RSA key container file is the file in this folder with the most recent timestamp.

Also, these simple commands seemed to work for use of EF/Linq-to-Entities

0
votes

When you run aspnet commands, the encrypted data should replace the "connectionStrings", if it doesn't, then it failed. aspnet_regiis -pe "connectionStrings" -app "/" -location "subfolder" -site "2"

I ran that command, but it turns out I don't need -location and that was incorrect.

I should have known, when the cipher Value XML field was so small.

However, these two commands do the trick...

aspnet_regiis -pe "connectionStrings" -app "/" -site "2"

aspnet_regiis -pa "NetFrameworkConfigurationKey" "IIS APPPOOL\MyApp"

-1
votes

Run This Code On Your Server that Publish your Project

string provider = "RSAProtectedConfigurationProvider";
string section = "connectionStrings";

protected void Page_Load(object sender, EventArgs e)
{

}
protected void btnEncrypt_Click(object sender, EventArgs e)
{
   Configuration confg = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
   ConfigurationSection configSect = confg.GetSection(section);
   if (configSect != null)
   {
      configSect.SectionInformation.ProtectSection(provider);
      confg.Save();
   }
}

protected void btnDecrypt_Click(object sender, EventArgs e)
{
   Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
   ConfigurationSection configSect = config.GetSection(section);
   if (configSect.SectionInformation.IsProtected)
   {
      configSect.SectionInformation.UnprotectSection();
      config.Save();
   }
}

in this link : http://www.codeproject.com/Tips/304638/Encrypt-or-Decrypt-Connection-Strings-in-web-confi

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>WagJ9DDjWTNc1nmYVNQXaQqXalQzXaiCHAOtUJvTWBRZiuT6UK1fBElM80PnL6dC5Umb8qvfHdkSMgoMW9CJzwOTZ0zTy17JBGZqRQmlfW2G9LacoWIil0UrxjhgmJmRXhwXHFpdGwEVl7AoQGVlJGabXuChutaTxmfGOoUbCr0=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>qry5qnr3qxOgyoNPeP7OKEiHpr/PPTsaeQ2mYUsSK7cg4Kkl9uPO4RyUXgBIkgCTsjbObqLlyndcSBnYyek6bxG/IBL82G1R5J1ci8i1eyt8kIDqouzYOx5vtouErld4z1L+7WGf9Wg37QAH5RiiEfkCHndJJq3dTqjxnnXZSno6NgbxSXDfqzwE/eKDVhGV3oaTQSfjVmO8e5a9wvREYeeyasDhojx8J2mdy7/Q9rEIpv98RTiRxA==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>