I've spent a while googling this to no avail so either this is trickier than I thought or I fundamentally misunderstand how this works.
My web server has a service whose web.config file contains a machinekey. I want to encrypt it.
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5" />
<machineKey validationKey="[SOME KEY]"
decryptionKey="[SOME OTHER KEY]"
validation="HMACSHA256" decryption="AES" />
</system.web>
To encrypt it is a simple powershell command:
C:\Windows\Microsoft.NET\Framework\v4.0.30319> & ".\aspnet_regiis" /PEF "system.web/machineKey" "[PATH TO FILE]"
This works fine. It encrypts. Decryption via the same method works fine too. HOWEVER, it defaults to Triple DES encryption. This is what the encrypted version of the machine key gives me:
<machineKey configProtectionProvider="RsaProtectedConfigurationProvider">
...
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
...
</machineKey>
We don't want that. We want ASPNET_REGIIS to be encrypting with AES 256. My research so far tells me this can be done by specifying a "ProtectedConfigurationProvider" using the /PROV argument on the encryption script. This should make reference to an encryption provider in:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
I currently only have one provider in there, the default (RsaProtectedConfigurationProvider), which appears to be the one using Triple DES.
Does anyone have an idea of what steps need to be taken to get the machineKey encrypted via ASPNET_REGIIS using AES 256? Have I got something here terribly wrong?
Any help you can provide is greatly appreciated.
