Encryption / Decryption of app.config sections using RsaProtectedConfigurationProvider

Question

During the installation of our program we run this method to encrpyt sections of the app.config:

// Get the application configuration file.
Configuration config =
      ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);

// Define the Rsa provider name.
const string provider = "RsaProtectedConfigurationProvider";

// Get the section to protect.
ConfigurationSection connStrings = config.ConnectionStrings;

if (connStrings != null)
{
    if (!connStrings.SectionInformation.IsProtected)
    {
        if (!connStrings.ElementInformation.IsLocked)
        {
            // Protect the section.
            connStrings.SectionInformation.ProtectSection(provider);

            connStrings.SectionInformation.ForceSave = true;
            config.Save(ConfigurationSaveMode.Full);
        }
    }
}

Works fine so far. But if I run this program, we encounter of several machines the following error "Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened".

Of course I searched and found this help, but this doesn't work. Any ideas?

Answer 1

I ran into similar issues while debugging within Visual Studio 2010 on Win 7 with UAC set to it's default protection.

In order for me to get around this issue, I had to run Visual Studio as the Administrator ("Run as Administrator").

I had the same issue with trying to run the aspnet_regiis.exe to encrypt the section of my web.config. If I didn't run the commandline/console "as Administrator" I would get a commandline error that was even more cryptic: "Object already exists."

Answer 2

Yes.

Reason is those machines working have RsaProtectedConfigurationProvider setup in their machine.config. Those not working, don't have it - just manually add it for those machines.

I imagine that's one of the steps aspnet_regiis.exe does. I can't imagine you want to run that on all client machines.

UPDATE

OK, I have made the main part of the error in bold in your question - you are right it is a different issue. It is a security issue. If you look at the location C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys or C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys depending the operating system, you see a number of files. Your process does have access to the folder so just give files access to the whole folder for the identity of the application or a particular file (timestamp will tell you if you have created it).