I am deploying a website using AWS Elastic Beanstalk and it is very easy to deploy into a load balanced web farm.
Now, I want to encrypt some of the sections in the web.config for the sites that I have deployed, whether it is before deploying, or after.
There are many articles on how to use the Aspnet_regiis.exe tool using RSA to encrypt a section, however, the issue is when you are dealing with a web farm because you need to export the private key to other servers.
From this article http://msdn.microsoft.com/en-us/library/ff647398.aspx see:
Web Farm Scenarios If you want to deploy the same encrypted configuration file on multiple servers in a Web farm, you should use the RSAProtectedConfigurationProvider. This provider makes it easy for you encrypt the data on one server computer and then export the RSA private key needed to decrypt the data. You can then deploy the configuration file and the exported key to the target servers, and then re-import the keys.
However, my problem is that in a load balanced environment, servers are going to go up and down due to Autoscale rules, and I need a process to automate the management of the keys, that is, importing on a newly deployed server the private keys used to encrypt the Web.config.
Has anyone done this or can provide some insight?
Can you leverage container commands to import private keys? The command will be executed each time the instance is initialized. Once you begin keeping your keys in a persistent store, S3, for example, then autoscaling should not be an issue.
Customizing the Software on EC2 Instances Running Windows has more details on container commands.
Following @kukido 's suggestion what you need to do is create an .ebextension file with the following content.