Encrypting web.config

By |February 20th, 2008

It’s usually a good practice to encrypt database connection strings and other sensitive configuration entries for a web application. .NET 2.0+ gives you a built-in mechanism to do this.

The instructions out there on MSDN are nice, but there doesn’t seem to be a page that outlines all the things you actually have to do to use a custom key container. I’m also faced with a deployment scenario on ancient Windows 2000 servers, and the commands are slightly different here. It’s pretty straight forward, so for posterity I’ll outline the steps here.

The core tool is delivered with the .NET framework and called aspnet_regiis.exe.
Key Generation
First of all, let’s create a new custom container to hold the application keys. Another option would be to use the system default container NetFrameworkConfigurationKey, but let’s create a container specific our application:

C:\app> aspnet_regiis -pc MyCustomContainer
Creating RSA Key container…
Succeeded!

This now created the container and a new key inside it. The next step is to export the key into an XML file:

C:\app> aspnet_regiis -px MyCustomContainer mykeys.xml
Exporting RSA Keys to file…
Succeeded!

The file mykeys.xml now contains the keys. Keep this file safe, we will need to distribute it on the web farm later. The contents of the file looks like this:

<RSAKeyValue><Modulus>5C31Pc/ppGZjWuoUdQ9HjiAIxp8UaVYvgYXz3K4i3qzpW9al6s+2kG8ktHpSfZ/y6H4qDpaqI2TU5ltYdxr4Iv6sPhnTEKMv1N7AWq/FNwVTCM8XiWXqs6K+UW7mDfCI
ArF1Fqo+kFV1LJtuPUahy2TOmnji+ZUzzuwFqzqFop0=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>
Encrypt your application configuration
First of all, a new encryption provider needs to be registered in the web.config which specified the custom key store to use. You can skip this when using the default key store. Pay special attention to the keyContainerName attribute, it must match the name of the container created.

<!– sets up the encrypted configuration to use a special container –>
<configProtectedData>
<providers>
<add name=”MyCustomProvider”
type=”System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
keyContainerName=”MyCustomContainer”
useMachineContainer=”true” />
</providers>
</configProtectedData>

To now encrypt the configuration file from the command line (you can easily embedd this into an […]

Windows 2008 Server

By |February 17th, 2008

I freed up an old mainboard and installed Windows 2008 Server this weekend. I joined it into my home domain, enabled Aero on it, installed Office and Visual Studio 2008.
I was, however, a little surprised with various incompatibilities. Skype doesn’t work, neither do Windows Live Messenger or any webcam drivers, DLink wireless, Cisco VPN, and Symantec AV 10. Sure, it’s a server OS, but anyone who’s done M$ web development work knows that Vista/XP’s IIS light just sucks. Plus, if it’s just a server, why can I enable Aero?

More annoyances: The start bar resets itself to the same height with every restart and the latest FireFox claims it was shut down incorrectly every time you open it. None of my USB compact flash readers work.

On the other hand, I also re-imaged my home server with Centos 5.1, and I must admit, I ran into even stranger problems, such as not having a mouse cursor and other strange behavior mostly due to the nvidia drivers. The last functional user interface was and is the Un*x shell.