Shulou(Shulou.com)06/02 Report--

This article mainly shows you "how to encrypt WebConfig in NET environment in C#", which is easy to understand and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "how to encrypt WebConfig in NET environment in C#".

When deploying the ASP.NET project to the server, the Web.Config is often copied directly in the intranet environment. For the external network environment, the Web.Config file needs to be encrypted.

Net environment provides a total of two ways of encryption, namely, DpapiProtectedConfigurationProvider and RsaProtectedConfigurationProvider providers.

After encrypting Web.Config locally, the former can only be decrypted locally, but cannot be decrypted if you need to copy the Config file to an external host. After the latter encrypts the Config file locally, it can encrypt the container everywhere. When the Config file is copied to an external host, it can import the previously exported file and automatically decrypt it after import.

Because you often need to copy Config files to an external host, the Rsa protector is more suitable for actual business scenarios. This article will describe the steps for using the RsaProtectedConfigurationProvider program in detail.

1. To use the RsaProvider provider, you need to first enter the .NET Framework runtime environment, you can configure environment variables or use the cd directive.

Cd C:\ Windows\ Microsoft.NET\ Framework\ v2.0.50727

two。 You can then use aspnet_regiis.exe to create a Rsa key container. Key containers are divided into user-level and computer-level cases. Since there is no benefit in using user-level keys, it is generally possible to use computer-level keys.

Aspnet_regiis-pc "MyKeys"-exp

3. After you create the key container, you also need to set access to the key container. The following command grants the NETWORK SERVICE account access to the machine-level "MyKeys" RSA key container. There is an aspx program on msdn that displays the user logo of your asp.net program, but I will report an error after actually executing the pa instruction.

Aspnet_regiis-pa "MyKeys"NT AUTHORITY\ NETWORK SERVICE"

4. Add the following configuration node to the Web.Config file. MyProvider is the name of your protection program, which can be specified at will. KeyContainerName is the name of the key container set earlier, useMachineContainer is true to use machine-level keys, and false means to use user-level keys.

This configuration section should not be placed directly under the configure configuration node like msdn, which will cause an error. It is recommended to put it after the node you need to encrypt.

5. The following instruction encrypts the config file node under the specified path, or the sessionState node if there is a sql connection string for session in the configuration file.

Aspnet_regiis-pef "connectionStrings"D:\ WebApp"-prov "MyProvider"

Aspnet_regiis-pef "system.web/sessionState"D:\ WebApp"-prov "MyProvider"

The encrypted connectionStrings node is shown below, and the ASP.NET application is still accessible at this time.

Rsa Key X3XoBfbogamh9QUeVUV8A1EGMM0NQuBnhfuCAccording to iV1e7CCmGaiRt9ogmICenTK8VAmGfhufPzWFu5UHSiO 6BIvYPEO5WoWlj3h6GUQmRj6NsJOnrnYjta4oQb4xxazWcf3HUeWR0mG4wDCifTZaRIRmXkGgfbxewpsKJ5k = suqFgGjGFaon62YNI2VM5SQymcf4yyAku9fWQuvgClj1bfqixK9kIs9IE0I0m2u4gLbF+y0xPharfcOFJpXHDwHoaCrNQsxsutqiXquX67bYcJeYaMz5ja9ebqAtQvKIiZ/kHGvFIPXSCg5HiW/GGQwaf3FESVEsOaSAJZ3JJk9MlkkwDd6LepgtcCVjLnEK0lOeEFznrngizFFZWAsYjh6UCF5lNxNxf/IBwtznsfiFi2tV1F4sx9HkJEEryf5MEtu1RAA/wqarMvn7dlXhpGconpNPXA1IGlTmaZ/S1bR/FsO39skgHrs+OHsDMbJrI5ZO4TXXbK/DD86GPzu9JXrVKNVImzzW0V8aMc2HcVNClPsMwwgGaH6PNhE0xkjV6YH77XcLdVsKibvnwMlO/4kjGKoNXaSkFBoAEgprzi8=

If you need to decrypt, you can execute the following instruction aspnet_regiis-pdf "connectionStrings"D:\ WebApp"

6. Export the key container, the key information will be stored in the exported xml file, and pri means that the public key and private key will be exported together.

Aspnet_regiis-px "MyKeys"D:/MyKeys.xml"-pri

7. Having this xml file is equivalent to having a key container. After exporting the key container, you can delete the key container. The deletion instructions are as follows.

Aspnet_regiis-pz "MyKeys"

8. After deleting the key container, if you did not decrypt the Config file before, then running the ASP.NET program will directly report an error.

In my actual operation, I found that if you encrypt the Web.Config file of the running ASP.NET application, delete the key immediately after encryption, and click run (do not debug) to access it normally. This indicates that the Rsa decryption operation is performed in memory, and the access will not report an error until the solution is rebuilt or debugged (which will perform the build operation).

9. Now you can copy the encrypted config file and the exported MyKeys.xml to the server. Running the website at this time will report an error directly. You need to execute the following import instructions.

Aspnet_regiis-pi "MyKeys"D:/MyKeys.xml"

After import, you will find that there is still an error when you visit the ASP.NET website locally, indicating that you cannot open Provider. The pit eventually found a solution online, as shown in the following instructions, requiring access to the key container for the application pool.

Aspnet_regiis-pa "MyKeys"IIS APPPOOL\ MyWeb"-full

Since then, the entire process has been completed, and the above instructions can be encapsulated into two batch programs, one is key making bat, and the other is importing bat, as shown below.

@ echo oncd C:\ Windows\ Microsoft.NET\ Framework\ v2.0.50727 Microsoft.NET: set the config address Config file to set configAddress= "E:\ test":: create RSA key container aspnet_regiis-pc "MyKeys"-exp:: set key container access permissions aspnet_regiis-pa "MyKeys"NT AUTHORITY\ NETWORK SERVICE":: encrypt aspnet_regiis-pef "connectionStrings"D:\ WebApp"-prov "MyProvider" aspnet_regiis-pef "system.web/sessionState"D:\ WebApp"-prov "MyProvider" :: export aspnet_regiis-px "MyKeys"D:/MyKeys.xml"-pri:: delete key container aspnet_regiis-pz "MyKeys" pause@echo oncd C:\ Windows\ Microsoft.NET\ Framework\ v2.0.50727: delete old key container aspnet_regiis-pz "MyKeys":: import new key container aspnet_regiis-pi "MyKeys"D:/MyKeys.xml":: set application pool Access rights of aspnet_regiis-pa "MyKeys"IIS APPPOOL\ MyWeb"-fullpause

After writing these two bat, I think of the previous decryption instruction aspnet_regiis-pdf "connectionStrings"D:\ WebApp", which only needs to provide the node name and path. That is, if the person can execute the cmd instruction on the server being used, then he can decrypt the config. If there is a better solution to this problem, you are welcome to leave a message.

If Microsoft had written this instruction parsing method, it would have added a key parameter. Then even if the * can execute the cmd instruction, because he does not know the name of the key, it is still unable to decrypt the config.

These are all the contents of this article entitled "how to encrypt WebConfig in NET in C#". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.