将预加密的配置文件部署到生产环境 [英] Deploying pre-encrypted configuration files to a production environment
问题描述
我们想对部署到服务器上的所有Web应用程序配置文件进行加密。我们宁愿在构建过程中将此步骤作为第一步,并将预加密的文件包含在MSI中。
We want to encrypt all our web app configuration files that we deploy to a server. We'd prefer to do this as a step in our build process and include the pre-encrypted files inside the MSI.
这意味着我们的构建服务器(加密器)和生产服务器(解密器)需要相同的密钥。因此,我目前正在尝试进行非常基本的测试。在MachineA上加密Web.Config-在MachineB上解密。到目前为止,这是我尝试过的测试
This means that our build server (encryptor) and production server (decryptor) need the same keys. So I'm trying to do a very basic test for now. Encrypt a Web.Config on MachineA - Decrypt it on MachineB. Here's what I've tried to test so far
在本地计算机上创建一个新的RSA密钥对容器。
Create a new RSA Key Pair Container on my local pc.
aspnet_regiis -pc "MyContainer" -exp
给我ACL权限&
Give ACL Permissions to me & the NetworkService users.
aspnet_regiis -pa "MyContainer" "MyDomain\My.Account"
aspnet_regiis -pa "MyContainer" "NT AUTHORITY\NETWORK SERVICE"
将该密钥对导出到xml文件
Export that key pair to an xml file
aspnet_regiis -px "MyContainer" C:\MyContainer.xml -pri
将该文件复制到另一台计算机&导入它
Copy that file to another pc & import it
aspnet_regiis -pi "MyContainer" C:\MyContainer.xml
给我的同事&他的计算机对新导入的文件的网络服务用户权限
Give my colleague & his machines NetworkService user permissions on the newly imported file
aspnet_regiis -pa "MyContainer" "MyDomain\My.Colleague"
aspnet_regiis -pa "MyContainer" "NT AUTHORITY\NETWORK SERVICE"
接下来,我创建了一个
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="SecretKey" value="ValueWeWantToHide" />
</appSettings>
<configProtectedData>
<providers>
<add name="SampleProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
keyContainerName="MyContainer"
useMachineContainer="true" />
</providers>
</configProtectedData>
</configuration>
我可以很容易地加密&使用命令在此处解密appSettings部分。他们对&解密成功后,加密后的部分将用正确的提供者标记(< appSettings configProtectionProvider = RsaProtectedConfigurationProvider> )
I can quite easily encrypt & decrypt the appSettings section here using the commands. They encrypt & decrypt successfully and the encrypted section is marked withe correct provider after encryption (<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">)
aspnet_regiis -pef appSettings D:\testapp
and
aspnet_regiis -pdf appSettings D:\testapp
但是,当我将加密的web.config复制到同事PC并尝试使用上述命令对其进行解密时,解密失败。
However when I copy the encrypted web.config to my colleagues PC, and attempt to decrypt it with the command above, the decryption fails. It gives a very unhelpful error
Failed to decrypt using provider 'RSAProtectedConfigurationProvider'. Error message from provider: Bad Data
现在我被卡住了。我在SO上发现了两个类似的问题,但没有具体解决它们的具体问题。我错过了某个地方的步骤吗?我认为我密钥设置有效,因为我可以在本地进行加密/解密。我是否可能已提前完成密钥导入或错过了同事计算机上的某些步骤。感谢所有帮助。
And now I'm stuck. I've found a couple of similar issues on SO but nothing concrete that specifically solved their problems. Have I missed a step somewhere. I assume my key setup is valid since I can locally encrypt/decrypt. Is it possible I've cocked-up the key import or missed some step on my colleagues machine. Any help appreciated.
推荐答案
您正在使用计算机上的 default 提供程序进行加密/解密(此操作
You are encrypting/decripting using the default provider on your machine (this will be different for each machine).
您需要指定提供商:
aspnet_regiis -pef appSettings D:\testapp -prov "SampleProvider"
在您的同事上机器:
aspnet_regiis -pdf appSettings D:\testapp
这篇关于将预加密的配置文件部署到生产环境的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
