使用RsaProtectedConfigurationProvider的Web.Config加密 - “坏数据”错误 [英] Web.Config encryption using RsaProtectedConfigurationProvider - "Bad Data" error
问题描述
我正在尝试加密ASP.NET 2.0 Web应用程序的Web.Config文件中的连接字符串值,遵循 MSDN上描述的过程。使用RsaProtectedConfigurationProvider,我在我的开发机器上创建并导出了一个机器级别的密钥(使用-pri标志),并导入该密钥并在Web服务器上授予访问权限。在测试ASP.NET自动解密之前,我想尝试手动解密Web.Config。
I am attempting to encrypt connection string values in the Web.Config file for an ASP.NET 2.0 web application, following the procedure described on MSDN. Using the RsaProtectedConfigurationProvider, I created and exported a machine-level key on my development machine (using the -pri flag), and imported the key and granted access on the web server. Prior to testing automatic decryption by ASP.NET, I wanted to try manually decrypting the Web.Config.
我可以手动加密和解密Web.Config同一台机器分别使用-pef和-pdf参数,但在Web服务器上手动解密失败,并出现 Bad Data
错误消息。
I am able to manually encrypt and decrypt the Web.Config on the same machine using the -pef and -pdf parameters respectively, but manually decrypting on the web server fails with a Bad Data
error message.
最奇怪的是,我的Web.Config文件中的keyContainerName属性似乎被忽略。如果我尝试用乱码替换正确的值(不再对应于我创建的任何密钥容器),加密和解密仍然可以在我的开发机器上工作。任何想法?
The oddest thing is that the keyContainerName attribute in my Web.Config file seems to be ignored. If I try replacing the correct value with gibberish (no longer corresponding to any key container I have created) the encryption and decryption still work on my development machine. Any ideas?
推荐答案
从您的描述中,您遇到一些问题,通过可导出的RSA通过
web.config提供者,正确吗?
From your description, you're encountering some problems about encypting web.config via exportable RSA provider, correct?
根据RSA加密参考,我已经执行了一些本地测试,
通过RSA提供商加密web.config部分的正常过程和
移动到其他机器如下:
According to the RSA encryption reference, I've performed some local tests, the normal process of encrypting web.config section via RSA provider and move to other machine is as below:
====================
步骤1
====================== Step 1
创建机器级RSA密钥容器:
aspnet_regiis -pcMyTestKeys-exp
Create a machine-level RSA key container: aspnet_regiis -pc "MyTestKeys" -exp
步骤2
授予对RSA加密密钥的读取访问权限:
Grant Read Access to the RSA Encryption Key:
aspnet_regiis - paMyTestKeysNT AUTHORITY\NETWORK SERVICE
aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"
步骤3
加密配置文件:
aspnet_regiis -pefconnectionStrings网站的物理路径
文件夹-prov MyRSAProvider
Encrypt the config file: aspnet_regiis -pef "connectionStrings" "physical path of the web site folder" -prov MyRSAProvider
导出容器并将其导入到其他机器使用
以下步骤
export the container and import it back to other machine using the following steps
步骤4
导出机器级RSA密钥容器:
aspnet_regiis -pxMyTestKeysc:\Config-Key.xml-pri
Export the machine-level RSA key container: aspnet_regiis -px "MyTestKeys" "c:\Config-Key.xml" -pri
步骤5
将Config-Key.xml复制到第二台服务器上的c:\
Copy Config-Key.xml to c:\ on 2nd server
步骤6
导入第二台服务器上的机器级RSA密钥容器:
aspnet_regiis -piMyTestKeysc:\Config-Key.xml
Import the the machine-level RSA key container on the 2nd server: aspnet_regiis -pi "MyTestKeys" "c:\Config-Key.xml"
步骤7
授予对RSA加密密钥的读取访问权限:
aspnet_regiis -paMyTestKeysNT AUTHORITY\NETWORK SERVICE
Grant Read Access to the RSA Encryption Key: aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"
步骤8
将加密的web.config复制到第二台服务器
Copy encrypted web.config to 2nd server
=== =====================
========================
根据您提到的步骤,我认为大部分流程've
跟随应该是正确的。到目前为止,我想建议您检查
以下事项:
Based on the steps you mentioned, I think most of the process you've followed should be correct. So far I'd like to suggest you check the following things:
- 检查您的自定义RSA提供程序设置,以查看是否正确的
复制到目标机器也设置为使用机器容器
======加密配置部分=======
type =System.Configuration.RsaProtectedConfigurationProvider,System.Configur
ation,版本= 2.0.0.0,Culture = neutral,PublicKeyToken = b03f5f7f11d50a3a/>
========encrypt config section=======
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configur ation, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
- AS在上述步骤中,创建RSA密钥容器后,需要
使用aspnet_regiis -pa确保某个帐户(将
运行您的ASP.NET应用程序)具有对
密钥容器的足够访问权限。通常,当您使用VS 2008 / VS 2005测试服务器运行
ASP.NET应用程序时,您正在使用登录用户(这可能是
管理员),但是,如果您运行ASP。 NET在IIS中(或者移动到其他
服务器,正在使用另一个不同的进程帐户),您需要使
确保某个进程帐户已被授予权限。
您可以检查他们以查看问题是否是由于某些问题。
You can check them to see whether the problem is due to some of them.
真诚的,
Sanjay Manju suman
Sincerely, Sanjay Manju suman
这篇关于使用RsaProtectedConfigurationProvider的Web.Config加密 - “坏数据”错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!