We want to encrypt all our web app configuration files that we deploy to a server. We'd prefer to do this as a step in our build process and include the pre-encrypted files inside the MSI.
This means that our build server (encryptor) and production server (decryptor) need the same keys. So I'm trying to do a very basic test for now. Encrypt a Web.Config on MachineA - Decrypt it on MachineB. Here's what I've tried to test so far
Create a new RSA Key Pair Container on my local pc.
aspnet_regiis -pc "MyContainer" -exp
Give ACL Permissions to me & the NetworkService users.
aspnet_regiis -pa "MyContainer" "MyDomain\My.Account"
aspnet_regiis -pa "MyContainer" "NT AUTHORITY\NETWORK SERVICE"
Export that key pair to an xml file
aspnet_regiis -px "MyContainer" C:\MyContainer.xml -pri
Copy that file to another pc & import it
aspnet_regiis -pi "MyContainer" C:\MyContainer.xml
Give my colleague & his machines NetworkService user permissions on the newly imported file
aspnet_regiis -pa "MyContainer" "MyDomain\My.Colleague"
aspnet_regiis -pa "MyContainer" "NT AUTHORITY\NETWORK SERVICE"
Next, I created a very simple web.config on my local machine.
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="SecretKey" value="ValueWeWantToHide" />
</appSettings>
<configProtectedData>
<providers>
<add name="SampleProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
keyContainerName="MyContainer"
useMachineContainer="true" />
</providers>
</configProtectedData>
</configuration>
I can quite easily encrypt & decrypt the appSettings section here using the commands. They encrypt & decrypt successfully and the encrypted section is marked withe correct provider after encryption (<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
)
aspnet_regiis -pef appSettings D:\testapp
and
aspnet_regiis -pdf appSettings D:\testapp
However when I copy the encrypted web.config to my colleagues PC, and attempt to decrypt it with the command above, the decryption fails. It gives a very unhelpful error
Failed to decrypt using provider 'RSAProtectedConfigurationProvider'. Error message from provider: Bad Data
And now I'm stuck. I've found a couple of similar issues on SO but nothing concrete that specifically solved their problems. Have I missed a step somewhere. I assume my key setup is valid since I can locally encrypt/decrypt. Is it possible I've cocked-up the key import or missed some step on my colleagues machine. Any help appreciated.
You are encrypting/decripting using the default provider on your machine (this will be different for each machine).
You need to specify the provider:
On your colleagues machine: