Tuesday, March 27, 2007

Encrypting the Connection String in Web.config in a Web Farm

In webfarm scenario best approach is to use RSA encryption to encrypt the ConnectionString. We can use aspnet_regiis.exe, which come up with .Net framework 2.0 for this encryption.

Following steps will guide you through the encryption.

1. Go to .Net framework command prompt
2. Run the following command from a command prompt to create a custom RSA encryption key:
aspnet_regiis -pc "KeysforShyjuMohan" -exp

here important one to note is the usage of switch " -exp" , which indicates that the keys are exportable.

If the command is successful, you will see the following output:
Creating RSA Key container... Succeeded!

We all are curious so normally we will look for the file and try to find out where it got created in the system.

Verfying the key container

can verify that a custom key container exists by looking for the file and checking timestamps in the following location:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

I hope all are aware about providers in .Net , the ones who knows about it will easly say what will be the next step.

Setting the provider
2. Add and configure a custom protected configuration provider. To do this, add the following section to the Web.config file. Note that the key container name is set to " KeysforShyjuMohans ", which is the name of the key container created previously.



add type=System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, name=MyCustomProvider description=Uses keycontainername=KeysforShyjuMohan usemachinecontainer=true version=, culture=neutral, publickeytoken=b03f5f7f11d50a3a



Next step we are going to encrypt the sections which are need to be encrypted. Here i am encrypting only the connection string section.

Encrypting Connection string section

3. Run the following command from an SDK Command Prompt to encrypt the connectionStrings section using the custom RSA key:
aspnet_regiis -pe "connectionStrings" -app "/MytestRSA" -prov "MyCustomProvider"

Here we have to watch out for the three switches
pe - which will be the section need to be encrypted
app - specify the name of your application
Prov - Give the provider name which we given in web.config file

If the encryption is successful, you will see the following output:
Encrypting configuration section... Succeeded!

Your modified Web.Config file, with the connectionStrings section encrypted, should be similar to the following example:
Rsa Key MWOaFwkByLRrvoGYeFUPMmN7e9uwC0D7gFEeyxs3Obll710dLQvD5XaMWcRxg1WwtOE9nysPQRrIJUaCm0b26LGUoa/giGEfvWnslU2kig9SPICzsQAqUSB/inhRckWceb2xdy7TT+EI/vfsu6itJwE2AicMCTwx5I828mP8lV4= IKO9jezdlJ/k1snyw5+e11cd9IVTlVfHBHSiYLgICf1EnMNd5WxVDZWP1uOW2UaY3Muv7HrSZCRbqq6hfA2uh2rxy5qAzFP+iu7Sg/ku1Zvbwfq8p1UWHvPCukeyrBypiv0wpJ9Tuif7oP4Emgaoa+ewLnETSN411Gow28EKcLpbKWJDOC/9o7g503YM4cnIvkQOomkYlL+MzMb3Rc1FSLiM9ncKQLZi+JkRhlDIxFlsrFpKJhdNf5A0Sq2P71ZLI6G6QDCehHyn3kCZyBmVWJ0ueoGWXV4y

Now we encrypted our connection, next we have to export the container to a xml file.We can use this file for importing the key container to other servers.One of the important thing is use this file only for exporting the key container and delete it after that otherwise somebody elae can use it.

Exporting the container
5. Run the following command from a .NET command prompt to export the custom RSA encryption key:

aspnet_regiis -px "KeysforShyjuMohan" "C:\MyKeys.xml" -pri

The -pri switch causes the private and public key to be exported. This enables both encryption and decryption. Without the–pri switch, you would only be able to encrypt data with the exported key.
If the command is successful, you will see the following output:
Exporting RSA Keys to file... Succeeded!

Deploying into other servers in webfarm
6. Deploy the application and the encrypted Web.config file on a different server computer. Also copy the CustomKeys.xml file to a local directory on the other server, for example to the C:\ directory.
7. On the destination server, run the following command from a command prompt to import the custom RSA encryption keys:
aspnet_regiis -pi "KeysforShyjuMohan" "C:\MyKeys.xml"
If the command is successful, you will see the following output:
Importing RSA Keys from file.. Succeeded!

Note After you have finished exporting and importing the RSA keys, it is important for security reasons to delete the LivewireCustomKeys.xml file from both machines.

Next is one of the important normally people will forgot to do that.Giving the access permission to the application account (the account is used to run the application pool). Normally in production environment we will use a service account so give the permission to that service account.

Giving permisson
The account used to run your Web application must be able to read the RSA key container. If you are not sure which identity your application uses,

you can check this by adding the following code to a Web page:
using System.Security.Principal; ... protected void Page_Load(object sender, EventArgs e) { Response.Write(WindowsIdentity.GetCurrent().Name); }

By default, ASP.NET applications on Windows Server 2003 run using the NT Authority\Network Service account. The following command grants this account access to the LivewireCustomKeys store:
aspnet_regiis -pa "KeysforShyjuMohan" "NT Authority\Network Service"
If the command runs successfully, you will see the following output.
Adding ACL for access to the RSA Key container... Succeeded!

You can check the ACL of the file in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Your RSA key container file will be the one in this folder with the most recent timestamp.