Encrypting parts of .NET web.config - problems with shared hosting?

[kkbigal]

Hi there - just wondering if someone can advise me with a problem I've run into

I've got a connection string set in my web.config file and I wanted to encrypt it so it wasn't plain text. I know ASP doesn't serve up the web.config file if requested, but I still wanted to encrypt it for extra security.

Unfortunately, it doesn't seem to work on my hosting as I get the message:

"Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened."

Apparently, this is something to do with running on shared hosting.

Could anyone shed any light on possible solutions?

[Rock]

To encrypt configuration information in ASP.NET 2.0, keep the following things in your mind:

• All forms of encryption involve some sort of secret that is used when encrypting and decrypting the data. Symmetric encryption algorithm use the same secret key in both encrypting and decrypting a message, whereas asymmetric encryption algorithms use different keys for encrypting and decrypting. Regardless of the technique being used, the encryption scheme is only as safe as the secret key for decrypting.

• The configuration encryption capabilities in ASP.NET 2.0 are designed to foil a hacker who somehow is able to retrieve your configuration files. The idea is that if the hacker has your Web.config file on his computer, she can't de-scramble the encrypted sections. However, when an ASP.NET page on the web server requests information from an encrypted configuration file, the data must be decrypted to be used (and this happens without you needing to write any code). Therefore, if a hacker is able to upload an ASP.NET web page to your system that queries the configuration file and displays its results, she can view the encrypted settings in plain-text. (There's an example ASP.NET page that can be downloaded at the end of this article that illustrates encrypting and decrypting various sections of the Web.config file; as you'll see, an ASP.NET page can access (and display) the plain-text version of the encrypted data.)

• Encrypting and decrypting configuration sections carries a performance cost. Therefore, only encrypt the configuration sections that contain sensitive information. There's likely no need to encrypt, say, the <compilation> or <authorization> configuration sections.

Encryption Options:

Protecting configuration sections in ASP.NET 2.0 uses the provider model, which allows for any implementation to be seamlessly plugged into the API. The .NET Framework 2.0 ships with two built-in providers for protecting configuration sections:

* The Windows Data Protection API (DPAPI) Provider (DataProtectionConfigurationProvider) : this provider uses the built-in cryptography capabilities of Windows to encrypt and decrypt the configuration sections. By default this provider uses the machine's key. You can also use user keys, but that requires a bit more customization. Since the keys are machine- or user- specific, the DPAPI provider does not work in settings where you want to deploy the same encrypted configuration file to multiple servers.

Refer this Microsoft link on "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI" for more information on this process.

* RSA Protected Configuration Provider (RSAProtectedConfigurationProvider) : uses RSA public key encryption to encrypt/decrypt the configuration sections. With this provider you need to create key containers that hold the public and private keys used for encrypting and decrypting the configuration information. You can use RSA in a multi-server scenario by creating exportable key containers.

Refer this Microsoft link on "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA" for more information on this process.

There's one more option on encrypting the configuration information in the web.config, it's done through Programmatically Encrypting.
Please go through this link for more info on this type of encryption : davidhayden.com/blog/dave/archive/2005/11/17/2572.aspx

Once the data is encrypted, when it's read from an ASP.NET page (i.e., reading the connection string information from a SqlDataSource control or programmatically, via ConfigurationManager.ConnectionStrings[connStringName].ConnectionString), ASP.NET automatically decrypts the connection string and returns the plain-text value. In other words, you don't need to change your code one iota after implementing encryption. Best of Luck

[kkbigal]

Many thanks for the reply

I've written a page that has 2 buttons - 1 to encrypt and 1 to decrypt (using RSA). When I click the encrypt button, it responds with an error:

Quote:

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: An error occurred loading a configuration file: Access to the path 'D:\Inetpub\vhosts\<myhost>\httpdocs\4cgcbevw.tmp' is denied.

I'm guessing this is because the server doesn't have write permission to the config file (I had to grant appropriate rights to the ASPNET account on my local PC before it worked locally) and since I can't change that and I can't upload the web.config from the local PC because I can't register the local key on my hosting.

Not sure if there's a solution to this.

[kkbigal]

I found some info:

"In order to securely encrypt your web.config file, the RSA key must be installed on the server (with aspnet_regiis command or other programatic mean)."

I guess this depends on the webhost - is it possible to do this with EUKHost?

[eUK-Martin]

Hello,

I am afraid, it would not be possible to encrypt the connection string in the web.config on a shared server owing to the number of commands that will be needed to run on the server level to encrypt the web.config settings and the server will not be able to read the already encrypted string without the RSA. It also would not be possible to export client's RSA on the server to make this happen or provide servers RSA for security reasons.

[Rock]

Quote:

Originally Posted by kkbigal

I found some info:

"In order to securely encrypt your web.config file, the RSA key must be installed on the server (with aspnet_regiis command or other programatic mean)."

I guess this depends on the webhost - is it possible to do this with EUKHost?

You can try the Windows Data Protection API (DPAPI) Provider (DataProtectionConfigurationProvider) method rather than using RSA RSA Protected Configuration Provider (RSAProtectedConfigurationProvider) one..