Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to encrypt / decrypt a configuration file section with RsaProtectedConfigurationProvider

In my config file, i have some sensitive informations i wanted to encrypt for more security.

This is my code ( working as expected ):

class Program
{
    static void Main(string[] args)
    {
        System.Configuration.ExeConfigurationFileMap fileMap = new ExeConfigurationFileMap();
        fileMap.ExeConfigFilename = @"D:\Web_S\Prep\test\test.exe.config";
        System.Configuration.Configuration configuration = System.Configuration.ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None);
        string userNameWithoutEncryption = configuration.AppSettings.Settings["username"].Value;
        EncryptAppSettings("appSettings", configuration);
    }

    protected static void EncryptAppSettings(string section, Configuration configuration)
    {    
        AppSettingsSection objAppsettings = (AppSettingsSection)configuration.GetSection(section);
        objAppsettings.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
        objAppsettings.SectionInformation.ForceSave = true;
        configuration.Save(ConfigurationSaveMode.Modified);

    }
}

.config:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key="username" value="a2zmenu"/>
    <add key="password" value="password"/>
  </appSettings>
</configuration>

The .config encrypted looks like this :

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <configSections>
    <section name="customAppSettings" type="System.Configuration.NameValueSectionHandler" />
  </configSections>
  <appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
<CipherValue>09+Lm23xDWWnAZFOagh3NRwp5tzad+3oedvTgoeWqunQBiAfk9UGfGxriZg6snwwANUDzOANZ+wOFUb6qa0Atf
NgSd6b4FFSKTqzkfLlk+S9GtPSAVrRaLU9
/Q2Qu7oxoSbhW7NWtengJbEZrFm+GqlLlm08w8Np/y03DMExFeA=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
<CipherValue>qSYRXNEKhbwNodH60c7qoWeKZ2QKVQmizPXVGCgHVZPMQ4F+XDqlZa2OyIin0kEI3j8pCjNL097RlZClgdd
gPEd61AEw6DXJc43Z98obNFHmXfK9aS67qEtO6E
T+qCWQq2ZRbfK6xZ6jlfeink35/veUmoxAmDXrkwdrbQVKv98=</CipherValue>
      </CipherData>
    </EncryptedData>
  </appSettings>
</configuration>

I have the following questions: Is it safe to let informations such as

   <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

in the .config ?

Isn't it possible to decrypt it with those informations ? After the file is encrypted, can you confirm i can comment this line :

  EncryptAppSettings("appSettings", configuration);

When i try to get the username value after the file is encrypted with this line :

string userNameafterEncryption = configuration.AppSettings.Settings["username"].Value;

i get the decrypted value even if my file is now encrypted. I don't understand why...

Thank you for your help

like image 341
FieryA Avatar asked May 10 '16 14:05

FieryA


People also ask

How do I decrypt an encrypted config file?

To decrypt encrypted configuration file contents, you use the Aspnet_regiis.exe tool with the -pd switch and the name of the configuration element to be decrypted. Use the –app and -site switches to identify the application for which the Web. config file will be decrypted.

How do I decrypt an encrypted string?

Given encrypted string str, the task is to decrypt the given string when the encryption rules are as follows: Start with the first character of the original string. In every odd step, append the next character to it. In every even step, prepend the next character to the encrypted string so far.


1 Answers

First you need to understand how and from what configuration encryption really protects you. RsaProtectedConfigurationProvider can store private keys which are used for actual encryption in two places. First one is

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

This is folder to store machine-wide keys. By default, any user can access this folder but you need to be elevated (run as admin) to read files in this folder (again, by default).

Second possible location is

C:\Documents and Settings\[user name]\Application Data\Microsoft\Crypto\RSA

This is user-level location - only specific user can access it.

By default, RsaProtectedConfigurationProvider will use machine-level location, this is controlled by UseMachineContainer property of this provider. Default configuration is defined in machine-level configuration file (located at C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config) and defined like this:

<add name="RsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="NetFrameworkConfigurationKey" cspProviderName="" useMachineContainer="true" useOAEP="false"/>

If you would like to encrypt your section using user-level location, you can override this configuration in your own app.config file (see more here).

Now when you know all that, you can make an informed decision whether you need to encrypt your section and if yes - which location to use.

  1. If you use machine-level location (default) - your applicaton should be run elevated (under admin) both for encryption and decryption of your section. If someone will get access to your configuration file - he will not be able to decrypt it without having admin permissions. Running elevated might be a problem in some environments (especially corporate).

  2. If you use user-level location - your applicaton does not require to run elevated. Only user which encrypted section can later decrypt it. If someone gets access to your computer under different user (imagine some corporate domain) and steals a file - he won't be able to decrypt it.

You can either pre-encrypt your section for specific user\machine (keys with which sections are encrypted can be exported from one machine to another if necessary) or on first run ask user to type sensitive data (password to the database as an example) - then save that data to app.config and encrypt section.

As for why you get decrypted value automatically - that is because it's decrypted on the fly if possible. You are running as admin by default it seems (have your UAC disabled for example) so you can access keys which were used for encryption and so can decrypt. If you ran without admin - it will throw exception when you try to access encrypted value.

like image 97
Evk Avatar answered Oct 04 '22 21:10

Evk