CONFIG文件 可以加密的 Encrypting Configuration Sections ASP.NET never serves requests for configuration files, because they often contain sensitive information. However, even with this basic restriction in place, you may want to increase security by encrypting sections of a configuration file. This is a recommended practice for data such as connections and user-specific details. (Of course, any passwords should also be encrypted, although ideally they won’t be placed in a configuration file at all.) ASP.NET supports two encryption options: RSA: The RSA provider allows you to create a key pair that is then used to encrypt the configuration data. The advantage is that you can copy this key between computers (for example, if you want to use the same configuration file with all the servers in a web farm). The RSA provider is used by default. DPAPI: The DPAPI (data protection API) provider uses a protection mechanism that’s built into Windows. Configuration files are encrypted using a machine-specific key. The advantage is that you don’t need to manage or maintain the key. The disadvantage is that you can’t use a configuration file encrypted in this way on any other computer. With both of these options, encryption is completely transparent. When you retrieve a setting from an encrypted section, ASP.NET automatically performs the decryption and returns the plain text to your code (provided the required key is available). Similarly, if you modify a value programmatically and save it, encryption is performed automatically. However, you won’t be able to edit that section of the web.config file by hand. But you can still use WAT, the IIS snap-in, or your own custom code. When you use the configuration API, the decryption and encryption steps are performed automatically when you read from or write to a protected section. Programmatic Encryption To enable encryption programmatically, you need to retrieve the corresponding Configuration- Section.SectionInformation object and then call the ProtectSection() method. Any existing data is encrypted at this point, and any changes you make from this point on are automatically encrypted. If you want to switch off encryption, you simply use the corresponding UnprotectSection() method. Here’s an example that encrypts the application section if it’s unencrypted or switches off encryption if it is: Configuration config = WebConfigurationManager.OpenWebConfiguration( Request.ApplicationPath); ConfigurationSection appSettings = config.GetSection("appSettings"); if (appSettings.SectionInformation.IsProtected) { appSettings.SectionInformation.UnprotectSection(); } else { appSettings.SectionInformation.ProtectSection( "DataProtectionConfigurationProvider"); } config.Save; Here’s an excerpted version of what a protected <appSettings> section looks like: <appSettings> <EncryptedData> <CipherData> <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAIEokx++BE0mpDaPjVrJ/jQQAAAA CAAAAAAADZgAAqAAAABAAAAClK6Kt++FOJoJrMZs12KWdAAAAAASAAACgAAAAEAAAAFYA23iGZF1pe FwDPTKM2/1IAQAAYG/Y4cmSlEVs/a4yK7KXoYbWtjDsQBnMAcndmK3q+ODw/8...</CipherValue> </CipherData> </EncryptedData> </appSettings> Note that you can’t tell anything about the encrypted data, including the number of settings,the key names of settings, or their data types.
Command-Line Encryption Currently, no graphical tool exists for encrypting and decrypting configuration file settings. However, if you don’t want to write code, you can use the aspnet_regiis.exe command-line utility, which is found in the directory c:\[WinDir]\Microsoft.NET\Framework\[Version]. To use this tool, you must have already created a virtual directory to set your application up in IIS (see Chapter 18 for more about that process). When using aspnet_regiis to protect a portion of a configuration file, you need to specify these command-line arguments: • The -pe switch specifies the configuration section to encrypt. • The -app switch specifies your web application’s virtual path. • The -prov switch specifies the provider name. Here’s the command line that duplicates the earlier example for an application at http:// localhost/TestApp: aspnet_regiis -pe "appSettings" -app "/TestApp" -prov "DataProtectionConfigurationProvider"
Encrypting Configuration Sections
ASP.NET never serves requests for configuration files, because they often contain sensitive information.
However, even with this basic restriction in place, you may want to increase security by
encrypting sections of a configuration file. This is a recommended practice for data such as connections
and user-specific details. (Of course, any passwords should also be encrypted, although
ideally they won’t be placed in a configuration file at all.)
ASP.NET supports two encryption options:
RSA: The RSA provider allows you to create a key pair that is then used to encrypt the configuration
data. The advantage is that you can copy this key between computers (for example,
if you want to use the same configuration file with all the servers in a web farm). The RSA
provider is used by default.
DPAPI: The DPAPI (data protection API) provider uses a protection mechanism that’s built into
Windows. Configuration files are encrypted using a machine-specific key. The advantage is that
you don’t need to manage or maintain the key. The disadvantage is that you can’t use a configuration
file encrypted in this way on any other computer.
With both of these options, encryption is completely transparent. When you retrieve a setting
from an encrypted section, ASP.NET automatically performs the decryption and returns the plain
text to your code (provided the required key is available). Similarly, if you modify a value programmatically
and save it, encryption is performed automatically. However, you won’t be able to edit
that section of the web.config file by hand. But you can still use WAT, the IIS snap-in, or your own
custom code. When you use the configuration API, the decryption and encryption steps are performed
automatically when you read from or write to a protected section.
Programmatic Encryption
To enable encryption programmatically, you need to retrieve the corresponding Configuration-
Section.SectionInformation object and then call the ProtectSection() method. Any existing data is
encrypted at this point, and any changes you make from this point on are automatically encrypted.
If you want to switch off encryption, you simply use the corresponding UnprotectSection() method.
Here’s an example that encrypts the application section if it’s unencrypted or switches off
encryption if it is:
Configuration config = WebConfigurationManager.OpenWebConfiguration(
Request.ApplicationPath);
ConfigurationSection appSettings = config.GetSection("appSettings");
if (appSettings.SectionInformation.IsProtected)
{
appSettings.SectionInformation.UnprotectSection();
}
else
{
appSettings.SectionInformation.ProtectSection(
"DataProtectionConfigurationProvider");
}
config.Save;
Here’s an excerpted version of what a protected <appSettings> section looks like:
<appSettings>
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAIEokx++BE0mpDaPjVrJ/jQQAAAA
CAAAAAAADZgAAqAAAABAAAAClK6Kt++FOJoJrMZs12KWdAAAAAASAAACgAAAAEAAAAFYA23iGZF1pe
FwDPTKM2/1IAQAAYG/Y4cmSlEVs/a4yK7KXoYbWtjDsQBnMAcndmK3q+ODw/8...</CipherValue>
</CipherData>
</EncryptedData>
</appSettings>
Note that you can’t tell anything about the encrypted data, including the number of settings,the key names of settings, or their data types.
Currently, no graphical tool exists for encrypting and decrypting configuration file settings. However,
if you don’t want to write code, you can use the aspnet_regiis.exe command-line utility, which
is found in the directory c:\[WinDir]\Microsoft.NET\Framework\[Version]. To use this tool, you
must have already created a virtual directory to set your application up in IIS (see Chapter 18 for
more about that process).
When using aspnet_regiis to protect a portion of a configuration file, you need to specify these
command-line arguments:
• The -pe switch specifies the configuration section to encrypt.
• The -app switch specifies your web application’s virtual path.
• The -prov switch specifies the provider name.
Here’s the command line that duplicates the earlier example for an application at http://
localhost/TestApp:
aspnet_regiis -pe "appSettings" -app "/TestApp"
-prov "DataProtectionConfigurationProvider"