Deploying pre-encrypted configuration files to a p

2019-02-25 11:30发布

问题:

We want to encrypt all our web app configuration files that we deploy to a server. We'd prefer to do this as a step in our build process and include the pre-encrypted files inside the MSI.

This means that our build server (encryptor) and production server (decryptor) need the same keys. So I'm trying to do a very basic test for now. Encrypt a Web.Config on MachineA - Decrypt it on MachineB. Here's what I've tried to test so far

Create a new RSA Key Pair Container on my local pc.

aspnet_regiis -pc "MyContainer" -exp

Give ACL Permissions to me & the NetworkService users.

aspnet_regiis -pa "MyContainer" "MyDomain\My.Account"
aspnet_regiis -pa "MyContainer" "NT AUTHORITY\NETWORK SERVICE"

Export that key pair to an xml file

aspnet_regiis -px "MyContainer" C:\MyContainer.xml -pri

Copy that file to another pc & import it

aspnet_regiis -pi "MyContainer" C:\MyContainer.xml

Give my colleague & his machines NetworkService user permissions on the newly imported file

aspnet_regiis -pa "MyContainer" "MyDomain\My.Colleague"
aspnet_regiis -pa "MyContainer" "NT AUTHORITY\NETWORK SERVICE"

Next, I created a very simple web.config on my local machine.

<?xml version="1.0"?>
<configuration>
    <appSettings>
        <add key="SecretKey" value="ValueWeWantToHide" />
    </appSettings>
    <configProtectedData>
        <providers>
            <add name="SampleProvider"
                 type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
                 keyContainerName="MyContainer"
                 useMachineContainer="true" />
        </providers>
    </configProtectedData>
</configuration>

I can quite easily encrypt & decrypt the appSettings section here using the commands. They encrypt & decrypt successfully and the encrypted section is marked withe correct provider after encryption (<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">)

aspnet_regiis -pef appSettings D:\testapp
and
aspnet_regiis -pdf appSettings D:\testapp

However when I copy the encrypted web.config to my colleagues PC, and attempt to decrypt it with the command above, the decryption fails. It gives a very unhelpful error

Failed to decrypt using provider 'RSAProtectedConfigurationProvider'. Error message from provider: Bad Data

And now I'm stuck. I've found a couple of similar issues on SO but nothing concrete that specifically solved their problems. Have I missed a step somewhere. I assume my key setup is valid since I can locally encrypt/decrypt. Is it possible I've cocked-up the key import or missed some step on my colleagues machine. Any help appreciated.

回答1:

You are encrypting/decripting using the default provider on your machine (this will be different for each machine).

You need to specify the provider:

aspnet_regiis -pef appSettings D:\testapp -prov "SampleProvider"

On your colleagues machine:

aspnet_regiis -pdf appSettings D:\testapp