473,287 Members | 1,582 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,287 software developers and data experts.

Asp.net 2.0 deployment with encryption

I need to deploy and asp.net 2.0 application that has dpapi/machine
encrypted connection strings.

I tried using the VS Build Publish menu selection and then putting the
encryption in the global.asax application_start event. Unfortunately
this errors because the asp.net account doesn't have write permissions
to web.config. I'd rather not give permissions to the account.

I tried writing a batch file to compile and then encrypt the
application. That doesn't work because the compile machine is not the
same as the deployment machine and the machine keys are naturally
different.

Is there a way to automate the deployment process so that the deployer
doesn't have to remote on to the server where the app is to be
deployed?

thanks,

Apr 18 '06 #1
3 2768
Hi Chuck,

Thank you for posting and glad to see you again.

As for the ASP.NET 2.0 configuration section protection, it provides two
encryption approachs, DPAPI and RSA. I think the current approach you're
using is the DPAPI one which is mentioend in the following article, correct?

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn.microsoft.com/library/en...5.asp?frame=tr
ue

As for this data protection, it is something like a symmetic data
encryption which use a single shared session key to encrypt and decrypte
the data. Also, this session key is machine specific(or user storespecific)
which make it not portable from machine to machine. So when you're using
this approach(DPAPI) to protect the configuration section, we should do the
final encrypting work on the deploymenet server rather than on the
development server(where you compile the applcation). And normally, the
work (execute the aspnet_regiis tool from commandline to encrypt the
application's configuration sectino) is done by the deployment server's
administrator.

Then, what shall we do if we want to make the encrypting work done at
before the application be deployed to the target deployment server (on
development server)? Well, this brings out the second option------ RSA
data encryption approach. Actually you can also find the above
article(about DPAPI approach mentioned this in the final section , about
protect configuration data in WEBFARM scenario).

The RSA approach is just based on RSA asymmetric data encryption/decryption
which use a public/private key pair. So when we want to make multiple
webservers share the protection key setting(e.g do the encryption on the
web.conifig file on one server, and when deploy it to other servers, also
want the protected data be usable without additional work), we can create a
custom RSA key pair, and on the development server, we still use the
aspnet_regiis tool to encrypt the web.config use the created RSA key pair's
public key, and export the private key(which is necessary for decrpyting
the data) to other servers which will want to decrypt the data(for your
scenario, it's the deployment server). And all the tasks mentioned here
like creating the RSA key pair, encrypte through it, or export it can be
done via the aspnet_regiis tool.

Here is another MSDN article which mentioned using RSA approach to do the
configuration protection (also be referenced in the above article):

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://msdn.microsoft.com/library/en...6.asp?frame=tr
ue

Hope this helps you.

Regards,

Steven Cheng
Microsoft Online Community Support
==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



Apr 19 '06 #2
Thanks, Steven

I had read the web farm stuff, but didn't think of using it since I
don't have a web farm.

I guesss I will create a rsa key on the production server.

Export the public xml/key to a common location on some server.

Write a batch file on the development machine that compiles the app
and then encrypts the web.config using the xml file on the production
server.

That way any developer can deploy the app and I don't have to give the
aspnet account any write permissions.
On Wed, 19 Apr 2006 10:37:15 GMT, st*****@online.microsoft.com (Steven
Cheng[MSFT]) wrote:
Hi Chuck,

Thank you for posting and glad to see you again.

As for the ASP.NET 2.0 configuration section protection, it provides two
encryption approachs, DPAPI and RSA. I think the current approach you're
using is the DPAPI one which is mentioend in the following article, correct?

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn.microsoft.com/library/en...5.asp?frame=tr
ue

As for this data protection, it is something like a symmetic data
encryption which use a single shared session key to encrypt and decrypte
the data. Also, this session key is machine specific(or user storespecific)
which make it not portable from machine to machine. So when you're using
this approach(DPAPI) to protect the configuration section, we should do the
final encrypting work on the deploymenet server rather than on the
development server(where you compile the applcation). And normally, the
work (execute the aspnet_regiis tool from commandline to encrypt the
application's configuration sectino) is done by the deployment server's
administrator.

Then, what shall we do if we want to make the encrypting work done at
before the application be deployed to the target deployment server (on
development server)? Well, this brings out the second option------ RSA
data encryption approach. Actually you can also find the above
article(about DPAPI approach mentioned this in the final section , about
protect configuration data in WEBFARM scenario).

The RSA approach is just based on RSA asymmetric data encryption/decryption
which use a public/private key pair. So when we want to make multiple
webservers share the protection key setting(e.g do the encryption on the
web.conifig file on one server, and when deploy it to other servers, also
want the protected data be usable without additional work), we can create a
custom RSA key pair, and on the development server, we still use the
aspnet_regiis tool to encrypt the web.config use the created RSA key pair's
public key, and export the private key(which is necessary for decrpyting
the data) to other servers which will want to decrypt the data(for your
scenario, it's the deployment server). And all the tasks mentioned here
like creating the RSA key pair, encrypte through it, or export it can be
done via the aspnet_regiis tool.

Here is another MSDN article which mentioned using RSA approach to do the
configuration protection (also be referenced in the above article):

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://msdn.microsoft.com/library/en...6.asp?frame=tr
ue

Hope this helps you.

Regards,

Steven Cheng
Microsoft Online Community Support
================================================= =

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

================================================= =
This posting is provided "AS IS" with no warranties, and confers no rights.


Apr 19 '06 #3
Thanks for your response Chuck,

Yes, the webfarm/RSA approach also open the way we make the encrypted
configuration readable on other server as long as we export the correct RSA
key to the target server machine.

Good luck!

Regards,

Steven Cheng
Microsoft Online Community Support
==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Apr 20 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

113
by: Bonj | last post by:
I was in need of an encryption algorithm to the following requirements: 1) Must be capable of encrypting strings to a byte array, and decyrpting back again to the same string 2) Must have the same...
4
by: James | last post by:
I have a VB windows forms application that accesses a Microsoft Access database that has been secured using user-level security. The application is being deployed using No-Touch deployment. The...
2
by: Bill Nguyen | last post by:
I ran into this error trying to run an app from Publish.htm. I can't find what is wrong with the deployment. Thanks a million Bill -------- PLATFORM VERSION INFO
4
by: pintu | last post by:
Hello everybody.. I hav some confusion regarding asymmetric encryption.As asymmetric encryption it there is one private key and one public key.So any data is encrypted using private key and the...
1
by: =?Utf-8?B?bWljcm9ob2Y=?= | last post by:
Short version: Is there a way to configure (preferably programmatically) the max encryption strength that will be used by the framework when connecting to a particular SSL-protected web service? ...
11
by: John Williams | last post by:
I've written a simple program to do XOR encryption as my first foray into understanding how encryption works. The code compiles fine, however it segmentation faults on every run. using gdb to...
6
by: andrewbb | last post by:
I want to deploy a service with a windows app and the setup program must conform to the Vista certification requirements. Can that be done with the standard .net setup project? Assuming cost is...
7
by: Cirene | last post by:
I used to use the Web Deployment Project with my VS2005 projects. Now I've fully upgraded to VS2008. Do I have to download a new version of the Web Deployment Project? If so where can I find...
0
by: =?Utf-8?B?VGVjaGVlaw==?= | last post by:
I have created SSIS package and want to deploy it in MSDB. While importing the package into Filesystem it is getting imported.But when I try to import the package into MSDB it shows an error ...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.