问题描述

看起来，存储Azure角色设置的标准方式在.cscfg文件中的< ConfigurationSettings> 标签下。看起来很方便，但文件没有以任何方式加密 - 它是以纯文本形式上传到Azure门户的XML，可以随时以纯文本形式存储，并可以随时进行编辑。

Looks like the standard way of storing settings of Azure roles is under <ConfigurationSettings> tag in the .cscfg file. Looks convenient, but the file is not encrypted in any way - it is an XML that is uploaded to the Azure portal as plain text and is stored as plain text and can be edited at any time.

在我的应用程序中，我需要不应将其存储为纯文本的设置，例如我的SQL Azure数据库的密码。我宁愿不使用该密码的明文XML文件。如何存储这样的角色设置？

In my application I'll need settings that should not be stored as plain text - like for example a password to my SQL Azure database. I'd rather not have a plaintext XML file with that password. How do I store such role settings?

推荐答案

在本机上执行此操作的典型方式是在单台机器上使用DPAPI 。当然，这在网络农场有问题。要解决这个问题，您可以在每台机器上共享一个密钥并进行加密。最简单的方法是使用基于证书的加密。

The typical way to do this on-premises is to use DPAPI on a single machine. Of course, this has problems on a web farm. To work around this, you can share a single key on each machine and encrypt. The easiest way to do this is to use certificate based encryption.

没有针对Michael引用的SQL Azure帖子，但是必须是最长的系列来告诉你使用。使用该提供程序的唯一原因是它可以与ASP.NET的内置工具结合使用，该工具可以自动从appSettings读取。它不需要更改ServiceConfiguration。

Nothing against the SQL Azure posts referenced by Michael, but that had to be the longest series ever to tell you to use the PKCS12 configuration provider. The only reason to use that provider is that it works in conjuction with the built-in tooling from ASP.NET that can read from appSettings automatically. It doesn't help with ServiceConfiguration that needs to change.

如果您想做的是安全地保护设置（通常在ServiceConfig中），而您不介意写入一个实用程序类来实现，那么可以使用这两个函数将任何证书（使用私钥）上传到Windows Azure。这正是如何在服务配置中加密远程访问密码。

If all you want to do is securely protect a setting (typically in ServiceConfig) and you don't mind writing a utility class to do it, then you can use these two functions with any certificate (with private key) uploaded to Windows Azure. This is exactly how the password for remote access is encrypted in the Service Configuration.

加密：

var passwordBytes = UTF8Encoding.UTF8.GetBytes("p@ssw0rd");
var contentInfo = new ContentInfo(passwordBytes);
var thumb = "F49E41878B6D63A8DD6B3650030C1A06DEBB5E77";

var env = new EnvelopedCms(contentInfo);

X509Store store = null;

try
{
    store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    store.Open(OpenFlags.ReadOnly);
    var cert = store.Certificates.Cast<X509Certificate2>().Where (xc => xc.Thumbprint == thumb).Single();

    env.Encrypt(new CmsRecipient(cert));

    Convert.ToBase64String(env.Encode()).Dump();
}
finally
{
    if (store != null)
        store.Close();
}

解密：

var thumb = "F49E41878B6D63A8DD6B3650030C1A06DEBB5E77";

var cipherText = "MIIBrwYJKoZIhvcNAQcDoIIBoDCCAZwCAQAxggFgMIIBXAIBADBEMDAxLjAsBgNVBAMTJWR1bm5yeTd0YWIucmVkbW9uZC5jb3JwLm1pY3Jvc29mdC5jb20CECNRAOTmySOQTA2HuEpAcD4wDQYJKoZIhvcNAQEBBQAEggEAkIxJNnCb1nkZe3Gk2zQO8JQn2hOYM9+O9yx1eprTn7dCwjIlYulUMIYwFCMDI7TiYCXG7cET2IP/ooNBPYwxzAvEL5dUVIMK9EDE0jyRP3sGPGiSvG0MW8+xZuQx4wMGNSwm2lVW1ReVRGEpTeTcUFSBCPvXsULpbqCqXtSTgjsHngxgOKjmrWBIdrxCDxtfzvNPgSQ2AVqLTRKgFTN9RHUwJJ2zhGW+F+dBfxai3nlr7HN7JKiIdlNA0UjCd/kSIZqNfPlvd2V58RBMpkW+PEp3vpBa/8D/fhU3Qg/XBNXhroES7aVDB5E16QYO6KgPdXMCpLcQ4e9t1UhokEwUizAzBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECEImLeoQJeVkgBCQ94ZxmHnVkBWrID+S4PEd";

X509Store store = null;

try
{
    store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    store.Open(OpenFlags.ReadOnly);
    var cert = store.Certificates.Cast<X509Certificate2>().Where (xc => xc.Thumbprint == thumb).Single();

    var bytes = Convert.FromBase64String(cipherText);
    var env = new EnvelopedCms();
    env.Decode(bytes);
    env.Decrypt();
    Encoding.UTF8.GetString(env.ContentInfo.Content).Dump();
}
finally
{
    if (store != null)
        store.Close();
}

这篇关于我在哪里可以存储不作为纯文本存储的Azure角色设置？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！