是ConfigurationManage - > section.SectionInformation.ProtectSection()机器依赖? [英] Is ConfigurationManage -> section.SectionInformation.ProtectSection() machine dependent?
问题描述
在代码
配置config = ConfigurationManager.OpenExeConfiguration(Application.ExecutablePath);
ConnectionStringsSection section = config.GetSection(connectionStrings)as ConnectionStringsSection;
if(!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection(DataProtectionConfigurationProvider);
}
当我将应用程序移动到另一台机器时会遇到一些麻烦。 / p>
是section.SectionInformation.ProtectSection调用机器依赖,意思是,我不能复制配置文件并在另一台机器上使用它?
是否有一个提供者(DataProtectionConfigurationProvider除外)是机器独立的?
应用程序在几台具有相同配置文件的机器上运行(它必须从闪存驱动器运行)。
谢谢,
Fábio
是section.SectionInformation.ProtectSection调用机器依赖,意思是,我不能复制配置文件,机器?
是的,据我所知,这是正确的。 本文说明密钥存储在每台计算机或每个用户的基础上。
是否有一个提供程序(除DataProtectionConfigurationProvider)是机器独立的?
我知道的两个提供者( DataProtectionConfigurationProvider 和 RSAProtectedConfigurationProvider )不是开箱的有同样的问题。我发现一些提示,RSA提供程序允许键被重复使用跨机器,但没有找到任何示例如何实现这一点。
但是,一个方法来实现你所需要的,我昨天做了自己,因为我有一个类似的问题(我有一个要求从网络位置运行应用程序,所有客户端需要共享相同的加密配置文件)。您可以滚动自己的 ProtectedConfigurationProvider 。以下是说明概念的几个链接:
使用这些文章,我能够构建自己的ProtectedConfigurationProvider不是机器或用户相关的,并在应用程序中使用它。我有一个post-build步骤在我的发布版本,保护配置部分,因此我只能部署它的受保护版本。获得受保护的段数据工作原理期望在其他机器上没有任何问题。当然,你必须非常小心如何安全地加密和解密你的部分。有几个示例介绍了如何执行此操作,这是我认为的其中之一。
在这三篇文章中的任何一篇文章中没有明确说明的事情之一是如何使您的应用程序找到您的提供者,如果你不使用ASP.net。将它安装到全局程序集缓存的通常的方式可能不会为您工作,因为你说你正在从闪存驱动器运行应用程序。因此,您需要将其添加到 app.config 文件中,类似于:
<?xml version =1.0?>
< configuration>
...
< configProtectedData defaultProvider =MyEncryptionProvider>
< providers>
< add name =MyEncryptionProvider
type =MyAssembly.MyEncryptionProvider,MyAssembly,Version = 1.0.0.0,Culture = neutral,PublicKeyToken = whatever_the_assembly_token_is/>
< / providers>
< / configProtectedData>
...
< / configuration>
如果执行加密的程序集与主程序集路径相同,我使用一个签名的程序集, sn -T {Assembly} 会给你的PublicKeyToken你需要在配置文件中输入。
然后使用System.Configuration类似于以下内容保护节:
...
配置oConfiguration = ConfigurationManager.OpenExeConfiguration(yourExePath);
oSection.SectionInformation.ProtectSection(MyEncryptionProvider);
oSection.SectionInformation.ForceSave = true;
oConfiguration.Save();
我今天测试了它,它使用配置文件在开发机器上加密(XP SP3 ),并在XP SP2,Win7 32Bit和Win7 64Bit上使用。
DISCLAIMER
- 如果您不签署装配,不确定是否有效。
- 使用风险自负,我不是专家任何标准的安全性。
in the code
Configuration config = ConfigurationManager.OpenExeConfiguration (Application.ExecutablePath);
ConnectionStringsSection section = config.GetSection("connectionStrings") as ConnectionStringsSection;
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
}
I´m getting some trouble when I move the application to another machine.
is the section.SectionInformation.ProtectSection call machine dependent, meaning, I cannot copy the config file and use it on another machine ?
Is there a provider (other than DataProtectionConfigurationProvider ) that is machine independet ?
It is a requirement for my application that it works on several machines with the same config file (It must run from a flash drive).
Thanks, Fábio
Is the section.SectionInformation.ProtectSection call machine dependent, meaning, I cannot copy the config file and use it on another machine ?
Yes, that's correct as far as I can tell. This article says keys are stored on a per-machine or per-user basis.
Is there a provider (other than DataProtectionConfigurationProvider ) that is machine independet?
Not out of the box, the two providers I know of (DataProtectionConfigurationProvider and RSAProtectedConfigurationProvider) both have the same "problem". I found a few hints that the RSA provider allows for keys being re-used across machines, but have not found any examples on how to achieve this.
However, there is a way to achieve what you need, I just did it myself yesterday since I had a similar problem (I had a requirement to run an app from a network location, and all clients needed to share the same encrypted config file). You can roll your own ProtectedConfigurationProvider. Here's a few links that illustrate the concept:
- Implementing a Protected Configuration Provider
- How to: Build and Run the Protected Configuration Provider Example
- Protected Configuration Provider Implementation Example
Using these articles, I was able to build my own ProtectedConfigurationProvider that is not machine- or user-dependant and use it in an application. I have a post-build step in my release build that protects the config section and therefore I only ever deploy the protected version of it. Getting at the protected section data works as one would expect on other machines without any problems. Of course, you have to be very careful about how to encrypt and decrypt your sections safely. There's a few examples out there outlining how to do it, this is one of them I think.
One of the things that isn't clearly stated in any of the three articles is how to make your app find your provider if you're not using ASP.net. The usual way of installing it into the global assembly cache probably won't work for you since you state you're running an app from a flash drive. So, you'd need to add it to your app.config file instead, similar to this:
<?xml version="1.0"?>
<configuration>
...
<configProtectedData defaultProvider="MyEncryptionProvider">
<providers>
<add name="MyEncryptionProvider"
type="MyAssembly.MyEncryptionProvider, MyAssembly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=whatever_the_assembly_token_is" />
</providers>
</configProtectedData>
...
</configuration>
This should work if the assembly that does the encryption is in the same path as your main assembly. I'm using a signed assembly, sn -T {Assembly} will give you the PublicKeyToken you need to enter in the config file.
Protecting a section is then done similar to this:
using System.Configuration;
...
Configuration oConfiguration = ConfigurationManager.OpenExeConfiguration(yourExePath);
oSection.SectionInformation.ProtectSection("MyEncryptionProvider");
oSection.SectionInformation.ForceSave = true;
oConfiguration.Save();
I tested it today, and it worked with a config file being encrypted on a development machine (XP SP3), and being used on XP SP2, Win7 32Bit and Win7 64Bit.
DISCLAIMER
- Not sure if any of this works if you don't sign your assemblies.
- Use at your own risk, I'm not an expert on security by any standards.
这篇关于是ConfigurationManage - > section.SectionInformation.ProtectSection()机器依赖?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
