如何在ASP.NET Core 2的appsettings.json中加密密码? [英] How do you encrypt a password within appsettings.json for ASP.net Core 2?

问题描述

我想使用我的appsettings.json存储主密码".

I'd like to use my appsettings.json to store a "master password".

此主密码将用于打开由此出色的密码存储包生成的私钥(及其后续的密码存储): https://github.com/neosmart/SecureStore

This master password would then be used to open up a private key (and its subsequent password store) generated by this excellent password store package: https://github.com/neosmart/SecureStore

问题是，我想不出任何方法来加密主密码.我知道在.NET 4.5中，可以执行以下操作:

The problem is, I can't think of any way to encrypt the master password. I know in .NET 4.5, it was possible to do the following:

1)将密码放入web.config文件

1) Place your password into the web.config file

2)运行此脚本:aspnet_regiis.exe -pef appSettings"C:\ myfolder"

2) Run this script: aspnet_regiis.exe -pef appSettings "C:\myfolder"

3)您的密码最终将被加密-但程序会安全读取.

3) Your password would end up being encrypted - but read securely by your program.

https://www.codeproject.com/Articles/599416/Encrypting-ASP-NET-Application-Settings

我要采用正确的方法还是有更好的做法?

Am I going about this the right way or is there a better practice?

推荐答案

请记住不要将机密存储在网站的主appsettings.json中，并且通常保存在源代码控制中.使用文件提供商在服务器上其他位置找到文件.

Remember do not store secrets in the main appsettings.json that is in the web site and usually held in source control. Use a file provider to locate the file in some other location elsewhere on the server.

如果有权访问Azure，则可以将机密存储在 Azure Key Vault (而不是appsettings.json).

If you have access to Azure, you could store the secret in Azure Key Vault instead of appsettings.json.

请记住，如果要使用JSON文件，则可以使用网桥或代理类来处理值的解密.

With that in mind, if your want to use a JSON file, you can use a bridge or a proxy class to handle the decryption of values.

首先，您将需要一个类来解密值.为简便起见，我在这里不介绍解密类的详细信息，而只是假设已编写了名为SettingsDecryptor的类，并使用单个方法Decrypt来实现名为ISettingsDecryptor的接口，该方法对字符串值进行解密.

First you will need a class to decrypt the values. For brevity, I won't go into the details of the decryption class here and will just assume that a class called SettingsDecryptor has been written and implements an interface called ISettingsDecryptor with a single method Decrypt which decrypts a string value.

bridge类采用两个构造函数参数.

The bridge class takes two constructor parameters.

• 第一个是IOptions<T>或IOptionsSnapshot<T>，其中T是通过services.Configure方法(例如MyAppSettings)绑定到appsettings.json中的节的类.另外，如果您不想绑定到一个类，则可以改用IConfiguration并直接从配置中读取.
• 第二个是实现ISettingsDecryptor的解密类.

• The first is an IOptions<T> or IOptionsSnapshot<T> where T is that class that the section in appsettings.json is bound to via the services.Configure method (E.g. MyAppSettings). Alternatively, if you do not want to bind to a class, you could use IConfiguration instead and read directly from the configuration.
• The second is the decryption class that implements ISettingsDecryptor.

在网桥类中，每个需要解密的属性都应使用解密类来解密配置中的加密值.

In the bridge class, each property that requires decrypting should use the decryption class to decrypt the encrypted value in the configuration.

public class MyAppSettingsBridge : IAppSettings
{
    private readonly IOptions<MyAppSettings> _appSettings;

    private readonly ISettingsDecrypt _decryptor;

    public MyAppSettingsBridge(IOptionsSnapshot<MyAppSettings> appSettings, ISettingsDecrypt decryptor) {
        _appSettings = appSettings ?? throw new ArgumentNullException(nameof(appSettings));
        _decryptor = decryptor ?? throw new ArgumentException(nameof(decryptor));
    }

    public string ApplicationName => _appSettings.Value.ApplicationName;

    public string SqlConnectionSting => _decryptor.Decrypt(_appSettings.Value.Sql);

    public string OracleConnectionSting => _decryptor.Decrypt(_appSettings.Value.Oracle);
}

DI容器应设置如下:

The DI container should be set up something like this:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    services.AddOptions();            
    services.Configure<MyAppSettings>(Configuration.GetSection("MyAppSettings"));
    services.AddSingleton(Configuration);        
    services.AddSingleton<ISettingsDecrypt, SettingsDecryptor>();
    services.AddScoped<IAppSettings, MyAppSettingsBridge>();
}

然后，控制器可以具有一个将桥作为IAppSettings的构造函数，以访问解密的设置.

The controller can then have a constructor that takes the bridge as an IAppSettings to access the decrypted settings.

以上答案是整个解决方案的简短摘要，因为需要大量代码.

The above answer is a brief summary of the overall solution as there is quite a bit of code required.

完整的详细说明可以在我的博客文章隐藏appsettings.json中的秘密–在ASP.Net Core配置(第4部分)中使用网桥，在此我将详细介绍如何使用网桥模式. Github上还有一个完整的示例(包括解密类)，位于 https://github.com/configureappio/ConfiguarationBridgeCrypto

The full detailed explanation can be seen at my blog post Hiding Secrets in appsettings.json – Using a Bridge in your ASP.Net Core Configuration (Part 4) where I describe using a bridge pattern in detail. There is also a full example (including a decryption class) on Github at https://github.com/configureappio/ConfiguarationBridgeCrypto

这篇关于如何在ASP.NET Core 2的appsettings.json中加密密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！