Encrypt Web.Config value in packaged ASP.NET solution

0
votes

We are selling a web application to a client, and it includes some 3rd party components. These components require licensing keys to work, which we have stored in the web.config. As we are not selling the source code or the license we need to encrypt that value somehow.

No I know that you can use aspnet_regiis to encrypt section of the web.config, but my understanding is that this done on the host machine and uses the unique machine ID to do the encrypting. That means I can only do the encrypting after the client deploys the web app.

Since, we have no control over the deployment part we need to encrypt this value beforehand. In essence, we need it encrypted when we hand over the app to the client.

Any ideas?

1
asp.netencryptionconfigurationweb-configconfiguration-files
Are you certain you have the correct licensing arrangement with the vendor? If you have a license that allows you to sell an application with embedded 3rd party components, the component vendor should be providing the authentication solution.mellamokb
The license keys should be the property of the client and not yours, and hence irrelevant. Distributing your own or in-house license keys is a bad idea.Grant Thomas
@mellamokb - I'm not the legal department, but they assure me that this is the case.System Down
@SystemDown - Now that I think about it, we have a similar situation in one of our applications used in our customer base. We have the license key just embedded in the source code actually, and if our customers really wanted to, they could use .Net reflector and get the key. I don't know what a good solution is really.mellamokb
@mellamokb - Yeah, that was my first thought as well. I know some obfuscaters can hide (encrypt?) plain text. It's an option I'm exploring.System Down

1 Answers

1
votes

You can set the ProtectedConfigurationProvider when you run the command to not use the default encryption mechanism which uses the machine key, but will use a custom key container for encryption. One of the ProtectedConfigurationProvider is RsaProtectedConfigurationProvider and the command would be as shown below. Read this & this for details.

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"