Encrypt and deploy app.config

Question

I read and tested a lot to find the best practice to encrypt and deploy an app.config to different machines. In general, I would like to secure the content of the connection string from third parties and deploy the application to different machines. I will not configure each machine manually.

I know there are several ways like:

• Aspnet_Regiis (RSAProtectedConfigurationProvider, DPAPIProtectedConfigurationProvider) bound to a machine, user or custom. RSA encryption key.

• System.Security.Cryptography.ProtectedData bound to a machine or user.

• Encrypt the app.config at the first execution. Which is not secure.

What do you recommend or what is the best practice to encrypt an app.config and provide the application to different machines by a setup or with copy&paste?

Answer 1

Step 1 Create an RSA keypair

aspnet_regiis -pc yourkey -exp

Step2 Export you key in XML file

aspnet_regiis -px yourkey keyfile.xml -pri

for each machines

Step3 Import your container

aspnet_regiis -pi yourkey keyfile.xml (see step 2)

for each machines

Step4 Edit machine.config (canonical path C:\Windows\Microsoft.NET\Framework[64|32]\v[Version]\Config)

add in section configProtectedData this below element and set defaultProvider="YourProvider"

<add name="YourProvider"
                type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                description="Uses RsaCryptoServiceProvider to encrypt and decrypt for my infrastucture"

                keyContainerName="yourkey"

                cspProviderName=""
                useMachineContainer="true"
                useOAEP="false" />

Then you can encrypt in a machine and paste in other, remember that must give privileges to users with

aspnet_regiis -pa yourkey [DOMAIN\USER]

The administrators group is already authorized.

For more info http://msdn.microsoft.com/en-us/library/yxw286t2(v=vs.90).aspx

of course this steps you can put in a powershell/batch file

Another way for encrypt a connectionStrings section by code is

 var connectionStrings = ConfigurationManager.GetSection("connectionStrings") 
 if(!section.SectionInformation.IsProtected)
     connectionStrings.SectionInformation.ProtectSection("YourProvider");

In a connected and client/server scenario I propose you a solution that I have adopted in a wide network is of not distribute connection string in app.config but of require the connection's information at a service that can be an web service or a RESTful service after the user authentication.

In step more o less is thus

1. Authenticate user
2. Require connection info at service with username as parameter (HTTPS protocol)
3. a service return connection string
4. App it connect at DB

With this solution you can choose which server the user connects if you have regional server or more server

I hope be helpful

Answer 2

As I already mention in the question, there are many different ways to encrypt a configuration file. For a widely perspective I would like to describe an additional opportunity. I will not describe the concrete implementation, more the concept.

With a custom action in a msi installer you can encrypt the configuration file directly with the Windows Data Protection API (DPAPI). To secure the second entropy you can use an obfuscator. As a result, only the application is able to encrypt the configuration file.

Advantage

• Quite secure.
• No machine configuration is necessary.
• Insert the credential during the setup.

Disadvantage

• The configuration file is not encrypted in the setup. You have to protect it (permissions).

Please feel free to discuss and give some feedback to this answer.