Deploying connection string encrypted via RSAProtectedConfigurationProvider in app.config

Question

If a developer encrypts a connection string app.config section using RSAProtectedConfigurationProvider on their own machine, and this is subsequently deployed to a user's workstation, can that user's workstation (or server, for that matter), decrypt the connection string automatically?

Would some kind of key export/installation be required? How does this work? I realize that it's not bulletproof. I'm looking for advice on whether or not the deployment would be easy and/or work with such an encrypted connection string.

Answer 1

It is possible. There are APIs to do it (look at the System.Security.Cryptography namespace), or from the command line you can use aspnet_regiis:

aspnet_regiis -pc -exp  : create an exportable key pair
aspnet_regiis -px : export an RSA key pair to an XML file
aspnet_regiis -pi : import an RSA key pair from an XML file
aspnet_regiis -pa : add access for an account to a key container

Of course, when using encryption, you are simply substituting the problem of protecting data (your connection string) by a problem of protecting the key.

In your example, as you are aware since you say you know it's not bulletproof, the user will need to have access to the key container so will be able to decrypt the encrypted connection string.

In addition, anyone who gets hold of the XML file containing the exported key pair will be able to do so.

UPDATE

The deployment procedure would be something like:

• Create an exportable key on the developer workstation (aspnet_regiis -pc -exp)
• Encrypt the configuration section on the developer workstation using this key
• Export the key to an XML file (aspnet_regiis -px)
• Copy the XML file to the target machine
• Import the key from the XML file on the target machine (aspnet_regiis -pi)
• Give user accounts read access to the key on the target machine (aspnet_regiis -pa)

Sections encrypted using a protected configuration provider such as RSAProtectedConfigurationProvider will be decrypted automatically, provided the Windows identity under which the application is running has read permission for the RSA key container.