I have been trying for quite a while to figure out how to encrypt Application blocks that are stored in an external file called dev_entlib.config
我已经尝试了很长一段时间来弄清楚如何加密存储在名为dev_entlib.config的外部文件中的应用程序块
I can see in entlib (4.1) that it's possible to use the default protection providers to encrypt the blocks but, I really need to deploy this Application on different servers and thus I would need to export the keyProvider used to encrypt the application blocks to those servers.
我可以在entlib(4.1)中看到,可以使用默认保护提供程序来加密块,但是,我真的需要在不同的服务器上部署此应用程序,因此我需要将用于加密应用程序块的keyProvider导出到那些服务器。
What I've done so far is to add a custom Protected Configuration Provider to the machine.config file in the .net v2.0* whatever folder (and all the target servers)
到目前为止,我所做的是将自定义受保护的配置提供程序添加到.net v2.0 *中的machine.config文件(无论文件夹(以及所有目标服务器))
the custom provider is like this
自定义提供程序是这样的
<add name="MyCompanyProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
keyContainerName="MyKey"
useMachineContainer="true" />
that sits nicely beside the other default providers and even has design time support in the Entlib config tool. I then choose the protection provider for each block I want to encrypt.
它与其他默认提供程序非常相似,甚至在Entlib配置工具中也有设计时支持。然后,我为每个要加密的块选择保护提供程序。
Looking at the dev_entlib.config, shows that indeed the block was encrypted with my provider. My provider uses my key container. Therefore the block should be encrypted using my key container. I then Export "MyKey" to an xml file using:
查看dev_entlib.config,表明该块确实是使用我的提供程序加密的。我的提供者使用我的密钥容器。因此,应使用我的密钥容器加密块。然后我使用以下命令将“MyKey”导出到xml文件:
c:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -px "MyKey" "C:\keys.xml" -pri
Exporting RSA Keys to file...
Succeeded!
This key file is then copied to my sysTest server where it is imported and has access rights granted to "NT Authority\Network Services" and "ASPNET"
然后将此密钥文件复制到我的sysTest服务器,在该服务器中导入该密钥文件并具有授予“NT Authority \ Network Services”和“ASPNET”的访问权限
I then copy over my encrypted web.config and dev_entlib.config and try to display the connection strings in a small page which uses .net ConfigurationManager to get the ConnectionStrings collection and display them on the page. This page is running under IIS and the identity of the process is "NT Authority\Network Services".
然后我复制我的加密web.config和dev_entlib.config并尝试在一个小页面中显示连接字符串,该页面使用.net ConfigurationManager获取ConnectionStrings集合并在页面上显示它们。此页面在IIS下运行,进程的标识为“NT Authority \ Network Services”。
The problem is, that it doesn't work! There are bad data errors or "failed to decrypt using provider MyCompanyProvider".
问题是,它不起作用!有错误的数据错误或“无法使用提供程序MyCompanyProvider解密”。
This approach seems to make logical sense to me but it still fails.
这种方法似乎对我来说具有逻辑意义,但它仍然失败。
Does anyone have another suggestions?
有人有其他建议吗?
2 个解决方案
#1
Encrypt external Enterprise Library configuration files with your custom RSA key container using the Enterprise Library Configuration tool.
- EntLib (4.1) uses the default protection provider RsaProtectedConfigurationProvider. But it is possible to remove this provider within your configuration file and replace it with your own with the same name which can then point to your custom key provider: "MyKey".
- You should add this configProtectedData section in the configuration file that has the region that you want to encrypt (e.g. your external file: *dev_entlib.config*). You do not need to modify the machine.config file at all.
- You can then choose the RsaProtectedConfigurationProvider from the Enterprise Library Configuration application for the Data Access Application Block ProtectionProvider.
- You have to open this EntLibConfig.exe with Run as administrator if you are on Vista, Windows 7, Windows 2008.
- Otherwise you will get an error:
Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Object already exists.
无法使用提供程序“RsaProtectedConfigurationProvider”加密“connectionStrings”部分。来自提供程序的错误消息:对象已存在。
否则您将收到错误:无法使用提供程序“RsaProtectedConfigurationProvider”加密“connectionStrings”部分。来自提供程序的错误消息:对象已存在。
- Otherwise you will get an error:
- You can then copy this encrypted *dev_entlib.config* along with the web.config configuration file to your sysTest server. Open up the web.config file with Enterprise Library Configuration tool on that sysTest server should not get the error:
Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Bad Data.
无法使用提供程序'RsaProtectedConfigurationProvider'解密。来自提供程序的错误消息:错误数据。
EntLib(4.1)使用默认保护提供程序RsaProtectedConfigurationProvider。但是可以在配置文件中删除此提供程序,并将其替换为您自己的同名,然后可以指向您的自定义密钥提供程序:“MyKey”。
您应该在配置文件中添加此configProtectedData部分,该文件包含您要加密的区域(例如,您的外部文件:* dev_entlib.config *)。您根本不需要修改machine.config文件。
然后,您可以从企业库配置应用程序中为数据访问应用程序块保护提供程序选择RsaProtectedConfigurationProvider。
如果您使用的是Vista,Windows 7,Windows 2008,则必须以管理员身份打开此EntLibConfig.exe。否则您将收到错误:无法使用提供程序“RsaProtectedConfigurationProvider”加密“connectionStrings”部分。来自提供程序的错误消息:对象已存在。
然后,您可以将此加密的* dev_entlib.config *以及web.config配置文件复制到sysTest服务器。在sysTest服务器上使用Enterprise Library Configuration工具打开web.config文件不应该收到错误:无法使用提供程序'RsaProtectedConfigurationProvider'解密。来自提供程序的错误消息:错误数据。
web.config
This file is pretty much empty and just points to the external Data Configuration file:
这个文件非常空,只是指向外部数据配置文件:
<!-- web.config -->
<configuration>
<configSections>
<section name="enterpriseLibrary.ConfigurationSource" type="Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ConfigurationSourceSection, Microsoft.Practices.EnterpriseLibrary.Common, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<enterpriseLibrary.ConfigurationSource selectedSource="External Data Configuration File Source">
<sources>
<add name="External Data Configuration File Source" type="Microsoft.Practices.EnterpriseLibrary.Common.Configuration.FileConfigurationSource, Microsoft.Practices.EnterpriseLibrary.Common, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
filePath="dev_entlib.config" />
</sources>
</enterpriseLibrary.ConfigurationSource>
</configuration>
dev_entlib.config
This file has the connection strings and the protection provider with which it should be encrypted with:
此文件具有连接字符串和保护提供程序,应使用它来加密:
<!-- dev_entlib.config -->
<configuration>
<configSections>
<section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<dataConfiguration defaultDatabase="MyConnectionStringName" />
<connectionStrings>
<add name="cnHnicMediaLibrary" connectionString="Server=MyDbServer; Database=MyDbName; Integrated Security=SSPI"
providerName="System.Data.SqlClient" />
</connectionStrings>
<configProtectedData>
<providers>
<remove name="RsaProtectedConfigurationProvider" />
<add name="RsaProtectedConfigurationProvider"
keyContainerName="MyKey"
useMachineContainer="true"
description="Uses our own encryption key container so that it will work in a Web Farm setting. We need to trick Enterprise Library, which wants to use the default RsaCryptoServiceProvider to encrypt and decrypt, by replacing this default provider with our own while this configuration is processed!"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
</configuration>
Based on:
- http://entlib.codeplex.com/discussions/237555 (AvanadeSupport, Dec 8 2010 at 11:37 PM)
- http://entlib.codeplex.com/discussions/10300 (shane2007, Jul 9 2007 at 1:15 PM)
- http://entlib.codeplex.com/discussions/213998 (need to change the version back to 2.0.0.0)
http://entlib.codeplex.com/discussions/237555(AvanadeSupport,2010年12月8日晚上11:37)
http://entlib.codeplex.com/discussions/10300(shane2007,2007年7月9日下午1:15)
http://entlib.codeplex.com/discussions/213998(需要将版本更改回2.0.0.0)
I hope that this described the error message that you had and how to fix it.
我希望这描述了您的错误消息以及如何解决它。
#2
It doesn't seem to be possible yet. My solution is to just encrypt the blocks as part of the web.config and then copy and paste those blocks into an external entLib.config file. These block should then be able to be decrypted on the target servers with the exported key.
它似乎还不可能。我的解决方案是将块加密作为web.config的一部分,然后将这些块复制并粘贴到外部entLib.config文件中。然后,应该能够使用导出的密钥在目标服务器上解密这些块。
#1
Encrypt external Enterprise Library configuration files with your custom RSA key container using the Enterprise Library Configuration tool.
- EntLib (4.1) uses the default protection provider RsaProtectedConfigurationProvider. But it is possible to remove this provider within your configuration file and replace it with your own with the same name which can then point to your custom key provider: "MyKey".
- You should add this configProtectedData section in the configuration file that has the region that you want to encrypt (e.g. your external file: *dev_entlib.config*). You do not need to modify the machine.config file at all.
- You can then choose the RsaProtectedConfigurationProvider from the Enterprise Library Configuration application for the Data Access Application Block ProtectionProvider.
- You have to open this EntLibConfig.exe with Run as administrator if you are on Vista, Windows 7, Windows 2008.
- Otherwise you will get an error:
Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Object already exists.
无法使用提供程序“RsaProtectedConfigurationProvider”加密“connectionStrings”部分。来自提供程序的错误消息:对象已存在。
否则您将收到错误:无法使用提供程序“RsaProtectedConfigurationProvider”加密“connectionStrings”部分。来自提供程序的错误消息:对象已存在。
- Otherwise you will get an error:
- You can then copy this encrypted *dev_entlib.config* along with the web.config configuration file to your sysTest server. Open up the web.config file with Enterprise Library Configuration tool on that sysTest server should not get the error:
Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Bad Data.
无法使用提供程序'RsaProtectedConfigurationProvider'解密。来自提供程序的错误消息:错误数据。
EntLib(4.1)使用默认保护提供程序RsaProtectedConfigurationProvider。但是可以在配置文件中删除此提供程序,并将其替换为您自己的同名,然后可以指向您的自定义密钥提供程序:“MyKey”。
您应该在配置文件中添加此configProtectedData部分,该文件包含您要加密的区域(例如,您的外部文件:* dev_entlib.config *)。您根本不需要修改machine.config文件。
然后,您可以从企业库配置应用程序中为数据访问应用程序块保护提供程序选择RsaProtectedConfigurationProvider。
如果您使用的是Vista,Windows 7,Windows 2008,则必须以管理员身份打开此EntLibConfig.exe。否则您将收到错误:无法使用提供程序“RsaProtectedConfigurationProvider”加密“connectionStrings”部分。来自提供程序的错误消息:对象已存在。
然后,您可以将此加密的* dev_entlib.config *以及web.config配置文件复制到sysTest服务器。在sysTest服务器上使用Enterprise Library Configuration工具打开web.config文件不应该收到错误:无法使用提供程序'RsaProtectedConfigurationProvider'解密。来自提供程序的错误消息:错误数据。
web.config
This file is pretty much empty and just points to the external Data Configuration file:
这个文件非常空,只是指向外部数据配置文件:
<!-- web.config -->
<configuration>
<configSections>
<section name="enterpriseLibrary.ConfigurationSource" type="Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ConfigurationSourceSection, Microsoft.Practices.EnterpriseLibrary.Common, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<enterpriseLibrary.ConfigurationSource selectedSource="External Data Configuration File Source">
<sources>
<add name="External Data Configuration File Source" type="Microsoft.Practices.EnterpriseLibrary.Common.Configuration.FileConfigurationSource, Microsoft.Practices.EnterpriseLibrary.Common, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
filePath="dev_entlib.config" />
</sources>
</enterpriseLibrary.ConfigurationSource>
</configuration>
dev_entlib.config
This file has the connection strings and the protection provider with which it should be encrypted with:
此文件具有连接字符串和保护提供程序,应使用它来加密:
<!-- dev_entlib.config -->
<configuration>
<configSections>
<section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<dataConfiguration defaultDatabase="MyConnectionStringName" />
<connectionStrings>
<add name="cnHnicMediaLibrary" connectionString="Server=MyDbServer; Database=MyDbName; Integrated Security=SSPI"
providerName="System.Data.SqlClient" />
</connectionStrings>
<configProtectedData>
<providers>
<remove name="RsaProtectedConfigurationProvider" />
<add name="RsaProtectedConfigurationProvider"
keyContainerName="MyKey"
useMachineContainer="true"
description="Uses our own encryption key container so that it will work in a Web Farm setting. We need to trick Enterprise Library, which wants to use the default RsaCryptoServiceProvider to encrypt and decrypt, by replacing this default provider with our own while this configuration is processed!"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
</configuration>
Based on:
- http://entlib.codeplex.com/discussions/237555 (AvanadeSupport, Dec 8 2010 at 11:37 PM)
- http://entlib.codeplex.com/discussions/10300 (shane2007, Jul 9 2007 at 1:15 PM)
- http://entlib.codeplex.com/discussions/213998 (need to change the version back to 2.0.0.0)
http://entlib.codeplex.com/discussions/237555(AvanadeSupport,2010年12月8日晚上11:37)
http://entlib.codeplex.com/discussions/10300(shane2007,2007年7月9日下午1:15)
http://entlib.codeplex.com/discussions/213998(需要将版本更改回2.0.0.0)
I hope that this described the error message that you had and how to fix it.
我希望这描述了您的错误消息以及如何解决它。
#2
It doesn't seem to be possible yet. My solution is to just encrypt the blocks as part of the web.config and then copy and paste those blocks into an external entLib.config file. These block should then be able to be decrypted on the target servers with the exported key.
它似乎还不可能。我的解决方案是将块加密作为web.config的一部分,然后将这些块复制并粘贴到外部entLib.config文件中。然后,应该能够使用导出的密钥在目标服务器上解密这些块。