CODEWITHSUNDEEP
asp.netencryptionrsa
user17777
user17777

Reputation: 351

Web.Config encryption using RsaProtectedConfigurationProvider - "Bad Data" error

I am attempting to encrypt connection string values in the Web.Config file for an ASP.NET 2.0 web application, following the procedure described on MSDN. Using the RsaProtectedConfigurationProvider, I created and exported a machine-level key on my development machine (using the -pri flag), and imported the key and granted access on the web server. Prior to testing automatic decryption by ASP.NET, I wanted to try manually decrypting the Web.Config.

I am able to manually encrypt and decrypt the Web.Config on the same machine using the -pef and -pdf parameters respectively, but manually decrypting on the web server fails with a Bad Data error message.

The oddest thing is that the keyContainerName attribute in my Web.Config file seems to be ignored. If I try replacing the correct value with gibberish (no longer corresponding to any key container I have created) the encryption and decryption still work on my development machine. Any ideas?

Upvotes: 15

Views: 21324

Answers (7)

Ahmed Yassin
Ahmed Yassin

Reputation: 1

Encrpyting is very case sensitive as mahdi said. I have used in my pc and taken it to the sever I had a problem the problem was from the RSA machine key containers that are stored in my PC folder OR directory. and If you want to know where the correction may be started before making any change, Just start from 

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.

For info, kindly reffer to this link which might be a helpful....

http://msdn.microsoft.com/en-us/library/ms998283.aspx

Upvotes: 0

LCJ
LCJ

Reputation: 22662

I followed the approach listed below when I had Bad Data error while manual decryption.

  1. Add Remove and Clear tags in configProtectedData.
  2. Verify –pri was used while exporting key
  3. Also ensure that keyContainerName is same as the one used for regstering

keyContainerName="MyKeys"

CONFIG

<configProtectedData>
  <providers>

    <clear/>

<remove name="RSAProtectedConfigurationProvider" />

     <add name="RSAProtectedConfigurationProvider" keyContainerName="MyKeys" 
    type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,&#xD;&#xA;                
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,&#xD;&#xA; processorArchitecture=MSIL"
          useMachineContainer="true" />

  </providers>
</configProtectedData>

REFERENCE

  1. ConnectionString Encryption
  2. Where is RAS Key...

Upvotes: 1

lucky One
lucky One

Reputation: 159

This is another way to encrypt and decrypt coonection string check it if you are using vs2010 then open vs2010 with run as administrator

string provider = "RSAProtectedConfigurationProvider";

string section = "connectionStrings"; 

protected void btnEncrypt_Click(object sender, EventArgs e) 

{

   Configuration confg =
   WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

   ConfigurationSection configSect = confg.GetSection(section);

   if (configSect != null)

   {
      configSect.SectionInformation.ProtectSection(provider);
      confg.Save();

   }

}
protected void btnDecrypt_Click(object sender, EventArgs e)
{
    Configuration config =
        WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    ConfigurationSection configSect = config.GetSection(section);
    if (configSect.SectionInformation.IsProtected)
    {
        configSect.SectionInformation.UnprotectSection();
        config.Save();
    }
}

Upvotes: 0

Mahdi
Mahdi

Reputation: 755

Be careful that the name of the element to encrypt is case sensitive. So you should use "connectionStrings" not "connectionstrings" or "ConnectionStrings".

Upvotes: 1

Sanju
Sanju

Reputation: 903

From your description, you're encountering some problems about encypting web.config via exportable RSA provider, correct?

According to the RSA encryption reference, I've performed some local tests, the normal process of encrypting web.config section via RSA provider and move to other machine is as below:

====================== Step 1

Create a machine-level RSA key container: aspnet_regiis -pc "MyTestKeys" -exp

Step 2

Grant Read Access to the RSA Encryption Key:

aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"

Step 3

Encrypt the config file: aspnet_regiis -pef "connectionStrings" "physical path of the web site folder" -prov MyRSAProvider

export the container and import it back to other machine using the following steps

Step 4

Export the machine-level RSA key container: aspnet_regiis -px "MyTestKeys" "c:\Config-Key.xml" -pri

Step 5

Copy Config-Key.xml to c:\ on 2nd server

Step 6

Import the the machine-level RSA key container on the 2nd server: aspnet_regiis -pi "MyTestKeys" "c:\Config-Key.xml"

Step 7

Grant Read Access to the RSA Encryption Key: aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"

Step 8

Copy encrypted web.config to 2nd server

========================

Based on the steps you mentioned, I think most of the process you've followed should be correct. So far I'd like to suggest you check the following things:

  1. Check your custom RSA provider setting to see whether it is correctly copied to target machine also and set to use Machine container

========encrypt config section=======

type="System.Configuration.RsaProtectedConfigurationProvider,System.Configur ation, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

  1. AS in the above steps, after you create RSA key container, you need to use "aspnet_regiis -pa" to make sure that the certain account(which will run your ASP.NET application) has the sufficient access permission to the key container. Generally, when you use VS 2008/VS 2005 test server to run ASP.NET application, you're using the logon user(which is probably the admin), however, if you run the ASP.NET in IIS (or after move to other server which is using another different process account), you need to make sure the certain process account have been granted the permission.

You can check them to see whether the problem is due to some of them.

Sincerely, Sanjay Manju suman

Upvotes: 9

Sanju
Sanju

Reputation: 903

The RsaProtectedConfigurationProvider uses the machine account or the user account to encrypt the keys and save them in a file which called "key container", which usually saved in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA. And the ASP.NET worker process identity (ASPNET user in XP/2000 or Network Service in case of 2003) should have access to these files to be able to decrypt it or you would get this error message.

Please check this link for more information

http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

Upvotes: 0

KG Sosa
KG Sosa

Reputation: 22053

Actually you can use EL from Microsoft just to encrypt your connection string. You can download it here: http://www.codeplex.com/entlib

hth

Upvotes: 0

Related Questions