ASP.NET 加密 - aspnet_regiis - 农场 [英] ASP.NET Encryption - aspnet_regiis - Farm
问题描述
我们有使用NT AuthorityNetwork Service"的网站.
We have website that uses "NT AuthorityNetwork Service".
Response.Write(WindowsIdentity.GetCurrent().Name);
我们目前正在使用以下命令来加密配置文件.
We are currently using the following command to encrypt the config files.
aspnet_regiis -pc "NetFrameworkConfigurationKey"
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AuthorityNetwork Service"
aspnet_regiis.exe -pef "connectionStrings" "C:WebAppLocationFolder"
注意:我们没有使用-exp".当我们使用-exp"时,它不会创建 RSA 密钥容器.
Note: We are not using "-exp". When we use "-exp" it is not creating RSA Key Container.
如您所见,我们使用的是默认密钥 - NetFrameworkConfigurationKey.我们的网站有一个负载均衡器.Webserver1(W1) 和 WebServer2 (W2) 可用.
AS you can see, we are using the default key- NetFrameworkConfigurationKey. Our website has a load balancer. Webserver1(W1) and WebServer2 (W2) are available.
如果我遵循上述命令,我们将在 W1 和 W2 上使用单独的键.但是,该网站采用这种方法.
If I follow the above mentioned commands, we will be using separate keys on W1 and W2. However the website works with this approach.
这种方法是否足够?它有什么缺点或安全漏洞吗?在任何情况下都会失败吗?
注意:机器密钥已添加到我们的 web.config 中.两个配置都是一样的.但是,我们的 configProtectedData 不在 Web.Config 中.另外,我认为,两个服务器中的 NetFrameworkConfigurationKey 会有所不同.
Note: Machine key is added in our web.config. It is same in both config. However, our configProtectedData is not in the Web.Config. Also,I think, NetFrameworkConfigurationKey will be different in both the servers.
我已阅读以下有关 Web Farm 场景中加密的 msdn 文章.http://msdn.microsoft.com/en-us/library/ff650304.aspx
I have read the following msdn aricle for Encryption in Web Farm Scenarios. http://msdn.microsoft.com/en-us/library/ff650304.aspx
推荐答案
在我看来,您似乎没有做对所有事情.首先,这里有两个问题:
I doesn't sound to me like you've done everything correctly. First of all, there's two issues here:
- 确保两个 Web 服务器上的
machineKey相同. - 确保在两台服务器上的密钥容器中安装相同的 RSA 私钥,以便每台服务器都可以解密加密的配置.
这些是单独的问题:machineKey 与加密/解密要保护的配置部分无关.
因此,首先 aspnet_regiis -pc 命令用于创建新的 RSA 密钥容器,它失败的原因是您指定的容器名称已经存在,因为它是默认名称.此容器中的密钥对不可导出,因此您需要创建一个新的密钥容器并指定 -exp 开关以表示密钥对是可导出的.
So first of all the aspnet_regiis -pc command is used to create a new RSA key container and the reason it's failing is that the container name you've specified already exists because it's the default. The keypair in this container is not exportable so you need to create a new key container and specify the -exp switch to denote that the keypair is exportable.
aspnet_regiis -pc "MyDeploymentKeyContainer" -exp
然后将密钥导出到文件,包括私钥:私钥用于解密配置部分,因此 Web 服务器将需要它.
Then export the key to a file, including the private key: the private key is used to decrypt the config section so the web server will need it.
aspnet_regiis -px "MyDeploymentKeyContainer" deploykey.xml -pri
现在将配置部分添加到您的 web.config 并保存.
Now add the config section to your web.config and save it.
<configProtectedData>
<providers>
<add keyContainerName="MyDeploymentKeyContainer"
useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="DeploymentProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
然后加密指定提供者名称的 web.config 部分,如上所示(这里是DeploymentProvider")
Then encrypt the web.config section specifying the provider name as shown above (here it is "DeploymentProvider")
aspnet_regiis -pef "connectionStrings" "C:WebAppLocationFolder" -prov "DeploymentProvider"
现在您需要将应用程序部署到两台服务器并导入您之前导出到文件的 RSA 密钥容器.复制文件并在每个服务器上运行:
Now you need to deploy the app to both servers and import the RSA key container you exported to the file earlier. Copy the file up and on each server run:
aspnet_regiis -pi deploykey.xml
完成后,从服务器中删除文件 - 您不希望它挂在那里.最后授予运行您的 Web 应用程序的应用程序池的用户帐户访问两个 Web 服务器上的密钥容器的权限.
Once that's done delete the file from the server - you don't want it hanging about. Finally grant the user account for the app pool running your web app access to the key container on both web servers.
aspnet_regiis -pa "MyDeploymentKeyContainer" SomeDomainSomeAccount
这篇关于ASP.NET 加密 - aspnet_regiis - 农场的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
