问题描述
如果开发人员加密使用RSAProtectedConfigurationProvider自己机器的连接字符串的app.config部分,而这随后被部署到用户的工作站,可以在用户的工作站(或服务器,对于这个问题),将自动解密连接字符串?
If a developer encrypts a connection string app.config section using RSAProtectedConfigurationProvider on their own machine, and this is subsequently deployed to a user's workstation, can that user's workstation (or server, for that matter), decrypt the connection string automatically?
请问某种重要的出口/安装要求?这是如何运作的? 我意识到,这不是防弹的。的我在寻找的部署是否很容易和/或与此类加密的连接字符串工作的建议。
Would some kind of key export/installation be required? How does this work? I realize that it's not bulletproof. I'm looking for advice on whether or not the deployment would be easy and/or work with such an encrypted connection string.
推荐答案
这是可能的。有API来做到这一点(看 System.Security.Cryptography
命名空间),或者您可以使用aspnet_regiis的命令行:
It is possible. There are APIs to do it (look at the System.Security.Cryptography
namespace), or from the command line you can use aspnet_regiis:
aspnet_regiis -pc -exp : create an exportable key pair
aspnet_regiis -px : export an RSA key pair to an XML file
aspnet_regiis -pi : import an RSA key pair from an XML file
aspnet_regiis -pa : add access for an account to a key container
当然,使用加密的时候,你只是用被保护的关键的问题,保护数据(连接字符串)的问题。
Of course, when using encryption, you are simply substituting the problem of protecting data (your connection string) by a problem of protecting the key.
在你的榜样,因为你说你知道这不是防弹因为大家都知道,用户将需要访问密钥容器,这样就能将加密的连接字符串进行解密。
In your example, as you are aware since you say you know it's not bulletproof, the user will need to have access to the key container so will be able to decrypt the encrypted connection string.
此外,谁获得包含导出密钥对XML文件的持有就能够做到这一点。
In addition, anyone who gets hold of the XML file containing the exported key pair will be able to do so.
更新
在部署过程会是这样的:
The deployment procedure would be something like:
- 创建开发者工作站上的导出密钥(为aspnet_regiis -pc -exp)
- 加密使用此键开发工作站上配置部分
- 项导出到一个XML文件(aspnet_regiis的-px)
- XML文件复制到目标机器
- 从目标计算机上的XML文件的密钥(aspnet_regiis的-pi)
- 提供用户帐户的读取访问密钥在目标机器上(为aspnet_regiis -pa)
使用受保护的配置提供加密的部分,如 RSAProtectedConfigurationProvider
将被自动解密,提供在其下运行应用程序已读取的RSA密钥容器权限的Windows标识。
Sections encrypted using a protected configuration provider such as RSAProtectedConfigurationProvider
will be decrypted automatically, provided the Windows identity under which the application is running has read permission for the RSA key container.
这篇关于在app.config中通过RSAProtectedConfigurationProvider部署连接字符串加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!