I think it may be possible to get around the problem of the fact that, as pointed out by Aristotle in mikeymacs post titled Encrypting connectionString element of web.config. It's a bit unorthodox,as itrequires changing the name of your local developmentsystem and creating a user account on it with the same name as the name of your user account at DiscountASP. This is necessary because user level keys require the Web.config to be encrypted using the same identity as that which will decrypt it at run time: msdn says... (at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000006.aspunder the heading Using RSA with a "User-level Key Container to Encrypt a Connection String in Web.config" at point 7.) Because your application must access the data using the same identity that you used to encrypt the data, you often need to run the encryption command using your application's service account identity. To do so, you can start a command Window by using the runas command as shown below specifying an appropriate domain and user name. This will be problematic for some users - especially those whose dev system is on a LAN. My system is local and standalone, and running Windows XP Home. I was able to add an account with the same identity name as my identity/ account name at DiscountASP (aspnet_198211) and change the name of my local development server to match the identity name of their server (WEB125.) For me this has no significant effect on my system (but as I said - my system is not networked). It still requires DiscountASP to run aspnet_regiss on their servers, but without the apparent identity problems cited by Aristotle. Step 1. Rename development server and create an account on it that matches the identity of your DiscountASP account You can determine the identity under which your apps run at DiscountASp using the following bit of code: <%Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);%> Run the site on your local dev server and on the DscountASP.NET server to confirm that the two match. (I have done this and it is A - OK.) Then just change the Full Computer Name in My Computer->System Properties->Computer Name(XP Home) to match the DiscountASP Web server. For me this was WEB125 - although depending on how the DiscountASP servers are configured - the server name may be different for others? Step 2. Run the following command from a command prompt to create a custom RSA encryption key: (note - I have substituted my own values for the names etc. aspnet_198211 is my DiscountASP user identity as determined using the above method. Others should probably use theirs ) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pc "aspnet_198211_key" -exp Step 3. Add Custom provider to Web.config file (again - I have use my own key container name) <configProtectedData defaultProvider="RsaProtectedConfigurationProvider"> <providers> <add keyContainerName="aspnet_198211_key" useMachineContainer="false" <!-- we want to use USER LEVEL KEYS --> description="Uses RsaCryptoServiceProvider to encrypt and decrypt" name="aspnet_198211_provider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </configProtectedData> Step 4. Run the appropriate command to encrypt your Web.Config file using the newly created custom provider (I use aspnet_regiss -pef because I don't have IIS and therefore -pe option doesn't work. Note. encryptresearch is my VWD project name) Mine: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" "C:\Documents and Settings\aspnet_198211\My Documents\Visual Studio 2005\WebSites\encryptresearch" -prov "aspnet_198211_provider" MSDNs: aspnet_regiis -pe "connectionStrings" -app "/WebFarmRSA" -prov "CustomProvider" Step 5. Run the following command from a .NET command prompt to export the custom RSA encryption key: Mine: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -px "aspnet_198211_key" "C:\Documents and Settings\aspnet_198211\My Documents\Visual Studio 2005\WebSites\encryptresearch\aspnet_198211_key.xml" -pri MSDNs: aspnet_regiis -px "CustomKeys" "C:\CustomKeys.xml" -pri Step 6. Send the exported custom RSA key to DiscountASP and ask them to put it in your USER key location in your individual user account: Here is the name and contents of my customkey file so generatedfor my encryptresearch project - hopeful soul that I am aspnet_198211_key.xml <RSAKeyValue><Modulus>4fyAqGhXq1cY2d7BKt5eLEj3eigqoJiQxVayt4t8Kn2n4rUXyyAOAeExbGItEZ/i8/WnnzhraGxPe2H++1vtByFt5Xy8ClZdLQA0vawi6Su9/+QrRIa+NpY7T64dxD+U0f8pNvB7BMAflDQ88zL1Co8bag66tI0bjHtTtRr2mI8=</Modulus><Exponent>AQAB</Exponent><P>+kowuNjX1fGgUExX+WK7vKnhuyr3pMfYYZ0dvdSZdsnmtTPIhMQCxhQUKi7ASwdlXWXejSy62B45s9lBvIOefw==</P><Q>5yReXZtNqBlBmg5xFNcCgZhdBUt7XM0gPxKAcN+WACPyoMCIlIoWO2wtCg4kNFOcyz9nG0hqW6+RWElGrOYd8Q==</Q><DP>fxNP7WnbG7qUBHDecbXZT46JFzhXh4gXqmfVA95/FDqqMfHaqt3B8sObAVe/NdjJdEQWXGMLclLWRSPXJllFDQ==</DP><DQ>OZkDdtn7aPcaNNSCc0n80uRv0aD0lbR745utq/LbQx+yF0LDBhi+34HeW1IYzX1EZhVfkRnjfwNp+ZEQ7obNUQ==</DQ><InverseQ>zg2i5Dji+HTWr7axAxuz5VhYa0gdVYvyH8wC7IiYz6tHR8riVa1IeCXuZKMcjFvT0LuSRXW1oofTKFabyJlSwQ==</InverseQ><D>eREzRAWSYiKpF5900SiMPyFgI7t9CshxVqdZ22cIwCLNXHE0LAgiOPOR7MSz7GtBxPzoLi6lrC3KbwlS9wqKcnOUsY7eGUWi4ML2H0yx6+OKlzAv4Md8DsuLaS4fPCw696B+zFt4n1tiM68eWMHzVWi/BkUcIu3u8CBHse/0zME=</D></RSAKeyValue> Step 7. DiscountASP runs aspnet_regiis -pi "aspnet_198211_key" "C:\aspnet_198211_key.xml" Step 8. DiscountASP should not have to grant access to the ASP.NET application identity, because the key is located in that identity's user account, and the Web.config file encryption was performed with that identity. How damp am I? Be Cruel. Bruce [/quote] Post Edited (Bruce) : 1/16/2006 5:09:35 PM GMT
I submittedthis proposed solution using user level key containers to DiscountASP, but they said it wouldn't work due to the fact that users on their server don't have user profiles. What does this mean and why is it relevant? As far as I know, all that is required for user level keys to work is import to/storage of the key in the user's windows account directory, and that the Web.config encryption is performed by the same user identity under which the web app runs. My solution provides for both of these contingencies. Anyone have any insight? Ta, Bruce
This from DASP... Dear Bruce, The User Level keys are stored in the user's "documents and settings" folder. The aspnet users on our web servers do not have profiles so they don't have any windows account directory to store the keys. The path \Documents and Settings\your_aspnet_user\Application Data\Microsoft\Crypto\RSA does not exist. If you are worried about someone downloading or accessing your web.config file, the default permissions on your site prevents others from doing this. DiscountASP.NET The Power of ASP.NET for Less
