473,703 Members | 2,976 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Asp.net 2.0 deployment with encryption

I need to deploy and asp.net 2.0 application that has dpapi/machine
encrypted connection strings.

I tried using the VS Build Publish menu selection and then putting the
encryption in the global.asax application_sta rt event. Unfortunately
this errors because the asp.net account doesn't have write permissions
to web.config. I'd rather not give permissions to the account.

I tried writing a batch file to compile and then encrypt the
application. That doesn't work because the compile machine is not the
same as the deployment machine and the machine keys are naturally
different.

Is there a way to automate the deployment process so that the deployer
doesn't have to remote on to the server where the app is to be
deployed?

thanks,

Apr 18 '06 #1
3 2784
Hi Chuck,

Thank you for posting and glad to see you again.

As for the ASP.NET 2.0 configuration section protection, it provides two
encryption approachs, DPAPI and RSA. I think the current approach you're
using is the DPAPI one which is mentioend in the following article, correct?

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn.microsoft.com/library/en...5.asp?frame=tr
ue

As for this data protection, it is something like a symmetic data
encryption which use a single shared session key to encrypt and decrypte
the data. Also, this session key is machine specific(or user storespecific)
which make it not portable from machine to machine. So when you're using
this approach(DPAPI) to protect the configuration section, we should do the
final encrypting work on the deploymenet server rather than on the
development server(where you compile the applcation). And normally, the
work (execute the aspnet_regiis tool from commandline to encrypt the
application's configuration sectino) is done by the deployment server's
administrator.

Then, what shall we do if we want to make the encrypting work done at
before the application be deployed to the target deployment server (on
development server)? Well, this brings out the second option------ RSA
data encryption approach. Actually you can also find the above
article(about DPAPI approach mentioned this in the final section , about
protect configuration data in WEBFARM scenario).

The RSA approach is just based on RSA asymmetric data encryption/decryption
which use a public/private key pair. So when we want to make multiple
webservers share the protection key setting(e.g do the encryption on the
web.conifig file on one server, and when deploy it to other servers, also
want the protected data be usable without additional work), we can create a
custom RSA key pair, and on the development server, we still use the
aspnet_regiis tool to encrypt the web.config use the created RSA key pair's
public key, and export the private key(which is necessary for decrpyting
the data) to other servers which will want to decrypt the data(for your
scenario, it's the deployment server). And all the tasks mentioned here
like creating the RSA key pair, encrypte through it, or export it can be
done via the aspnet_regiis tool.

Here is another MSDN article which mentioned using RSA approach to do the
configuration protection (also be referenced in the above article):

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://msdn.microsoft.com/library/en...6.asp?frame=tr
ue

Hope this helps you.

Regards,

Steven Cheng
Microsoft Online Community Support
=============== =============== =============== =====

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.



Apr 19 '06 #2
Thanks, Steven

I had read the web farm stuff, but didn't think of using it since I
don't have a web farm.

I guesss I will create a rsa key on the production server.

Export the public xml/key to a common location on some server.

Write a batch file on the development machine that compiles the app
and then encrypts the web.config using the xml file on the production
server.

That way any developer can deploy the app and I don't have to give the
aspnet account any write permissions.
On Wed, 19 Apr 2006 10:37:15 GMT, st*****@online. microsoft.com (Steven
Cheng[MSFT]) wrote:
Hi Chuck,

Thank you for posting and glad to see you again.

As for the ASP.NET 2.0 configuration section protection, it provides two
encryption approachs, DPAPI and RSA. I think the current approach you're
using is the DPAPI one which is mentioend in the following article, correct?

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn.microsoft.com/library/en...5.asp?frame=tr
ue

As for this data protection, it is something like a symmetic data
encryption which use a single shared session key to encrypt and decrypte
the data. Also, this session key is machine specific(or user storespecific)
which make it not portable from machine to machine. So when you're using
this approach(DPAPI) to protect the configuration section, we should do the
final encrypting work on the deploymenet server rather than on the
development server(where you compile the applcation). And normally, the
work (execute the aspnet_regiis tool from commandline to encrypt the
application' s configuration sectino) is done by the deployment server's
administrato r.

Then, what shall we do if we want to make the encrypting work done at
before the application be deployed to the target deployment server (on
development server)? Well, this brings out the second option------ RSA
data encryption approach. Actually you can also find the above
article(abou t DPAPI approach mentioned this in the final section , about
protect configuration data in WEBFARM scenario).

The RSA approach is just based on RSA asymmetric data encryption/decryption
which use a public/private key pair. So when we want to make multiple
webservers share the protection key setting(e.g do the encryption on the
web.conifig file on one server, and when deploy it to other servers, also
want the protected data be usable without additional work), we can create a
custom RSA key pair, and on the development server, we still use the
aspnet_regii s tool to encrypt the web.config use the created RSA key pair's
public key, and export the private key(which is necessary for decrpyting
the data) to other servers which will want to decrypt the data(for your
scenario, it's the deployment server). And all the tasks mentioned here
like creating the RSA key pair, encrypte through it, or export it can be
done via the aspnet_regiis tool.

Here is another MSDN article which mentioned using RSA approach to do the
configuratio n protection (also be referenced in the above article):

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://msdn.microsoft.com/library/en...6.asp?frame=tr
ue

Hope this helps you.

Regards,

Steven Cheng
Microsoft Online Community Support
============== =============== =============== ======

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

============== =============== =============== ======
This posting is provided "AS IS" with no warranties, and confers no rights.


Apr 19 '06 #3
Thanks for your response Chuck,

Yes, the webfarm/RSA approach also open the way we make the encrypted
configuration readable on other server as long as we export the correct RSA
key to the target server machine.

Good luck!

Regards,

Steven Cheng
Microsoft Online Community Support
=============== =============== =============== =====

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Apr 20 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

113
12311
by: Bonj | last post by:
I was in need of an encryption algorithm to the following requirements: 1) Must be capable of encrypting strings to a byte array, and decyrpting back again to the same string 2) Must have the same algorithm work with strings that may or may not be unicode 3) Number of bytes back must either be <= number of _TCHARs in * sizeof(_TCHAR), or the relation between output size and input size can be calculated simply. Has to take into account the...
4
3529
by: James | last post by:
I have a VB windows forms application that accesses a Microsoft Access database that has been secured using user-level security. The application is being deployed using No-Touch deployment. The objective in utilizing this new deployment method is to reduce the maintenance overhead as well as making it easier for my users to setup and run the application initially. I have VS 2002, Windows XP, Access XP(2000 format). He is my problem....
2
13844
by: Bill Nguyen | last post by:
I ran into this error trying to run an app from Publish.htm. I can't find what is wrong with the deployment. Thanks a million Bill -------- PLATFORM VERSION INFO
4
4141
by: pintu | last post by:
Hello everybody.. I hav some confusion regarding asymmetric encryption.As asymmetric encryption it there is one private key and one public key.So any data is encrypted using private key and the same is decrypted at client side using public key and vice-versa..Now i hav confusion like i.e. * Are both the keys available to both sender and receiver.? * When data is encrypted using public key ,Is the same data decrypted using private key(...
1
3077
by: =?Utf-8?B?bWljcm9ob2Y=?= | last post by:
Short version: Is there a way to configure (preferably programmatically) the max encryption strength that will be used by the framework when connecting to a particular SSL-protected web service? Long version: Historically, browsers could only be exported to certain countries if they supported only 40 and 56 bit encryption; 128 bit was restricted. I believe, based on my readings thus far, that this refers to the strength of the...
11
5040
by: John Williams | last post by:
I've written a simple program to do XOR encryption as my first foray into understanding how encryption works. The code compiles fine, however it segmentation faults on every run. using gdb to debug it let me narrow the problem down to the Cipher function I think it faults at line 84 or 85. The program makes it's first read/cipher/write pass without issue but the second pass kills it. Using gdb to print the variables left showed me the...
6
4067
by: andrewbb | last post by:
I want to deploy a service with a windows app and the setup program must conform to the Vista certification requirements. Can that be done with the standard .net setup project? Assuming cost is an issue, what else is available?
7
5981
by: Cirene | last post by:
I used to use the Web Deployment Project with my VS2005 projects. Now I've fully upgraded to VS2008. Do I have to download a new version of the Web Deployment Project? If so where can I find it? If not, how do I have to change my deployment strategy? Thanks!
0
1037
by: =?Utf-8?B?VGVjaGVlaw==?= | last post by:
I have created SSIS package and want to deploy it in MSDB. While importing the package into Filesystem it is getting imported.But when I try to import the package into MSDB it shows an error “Client unable to establish connection.Encryption not enabled in SQL Server.”. Any pointers will be helpful.
0
8749
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main usage, and What is the difference between ONU and Router. Lets take a closer look ! Part I. Meaning of...
0
8662
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9243
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8956
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7853
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
4420
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
3113
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2434
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2057
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.