{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 叛逆 的问题《Deploying pre-encrypted configuration files to a p》','https://www.manongdao.com/q-401322.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We want to encrypt all our web app configuration files that we deploy to a server. We'd prefer to do this as a step in our build process and include the pre-encrypted files inside the MSI.
This means that our build server (encryptor) and production server (decryptor) need the same keys. So I'm trying to do a very basic test for now. Encrypt a Web.Config on MachineA - Decrypt it on MachineB. Here's what I've tried to test so far
Create a new RSA Key Pair Container on my local pc.
aspnet_regiis -pc "MyContainer" -exp
Give ACL Permissions to me & the NetworkService users.
aspnet_regiis -pa "MyContainer" "MyDomain\My.Account"
aspnet_regiis -pa "MyContainer" "NT AUTHORITY\NETWORK SERVICE"
Export that key pair to an xml file
aspnet_regiis -px "MyContainer" C:\MyContainer.xml -pri
Copy that file to another pc & import it
aspnet_regiis -pi "MyContainer" C:\MyContainer.xml
Give my colleague & his machines NetworkService user permissions on the newly imported file
aspnet_regiis -pa "MyContainer" "MyDomain\My.Colleague"
aspnet_regiis -pa "MyContainer" "NT AUTHORITY\NETWORK SERVICE"
Next, I created a very simple web.config on my local machine.
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="SecretKey" value="ValueWeWantToHide" />
</appSettings>
<configProtectedData>
<providers>
<add name="SampleProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
keyContainerName="MyContainer"
useMachineContainer="true" />
</providers>
</configProtectedData>
</configuration>
I can quite easily encrypt & decrypt the appSettings section here using the commands. They encrypt & decrypt successfully and the encrypted section is marked withe correct provider after encryption (<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">)
aspnet_regiis -pef appSettings D:\testapp
and
aspnet_regiis -pdf appSettings D:\testapp
However when I copy the encrypted web.config to my colleagues PC, and attempt to decrypt it with the command above, the decryption fails. It gives a very unhelpful error
Failed to decrypt using provider 'RSAProtectedConfigurationProvider'. Error message from provider: Bad Data
And now I'm stuck. I've found a couple of similar issues on SO but nothing concrete that specifically solved their problems. Have I missed a step somewhere. I assume my key setup is valid since I can locally encrypt/decrypt. Is it possible I've cocked-up the key import or missed some step on my colleagues machine. Any help appreciated.
You are encrypting/decripting using the default provider on your machine (this will be different for each machine).
You need to specify the provider:
On your colleagues machine: