RE: ??? Which Key Encrypts .Config Files ???

Hello Tom,

From your post, my understanding on this issue is: you wonder where the
encryption and decryption key is stored when you encrypt the configuration
nodes. If I'm off base, please feel free to let me know.

I notice that you are using RsaProtectedConfigurationProvider, the RSA
mechanism, to encrypt the configurations. RSA needs two keys: one is public
key which is used to encrypt the content; another is private key, to
decrypt the content. According to the MSDN article
http://msdn2.microsoft.com/en-us/library/ms998283.aspx, the key pair for
the current application is stored either in machine level key container, or
user level container. For RsaProtectedConfigurationProvider, it uses
machine level key container by default. Machine level keys are stored in
the directory:
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
Each file in the directory represents one key container (public - private
key pair).
You could use the command:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pc
"keycontainer_name" -exp
to create a new key container with the specified keycontainer_name.

But actually, it is not the public key of RSA key container that encrypt
the content of configuration information, because RSA is a kind of
asymmetric encryption, and it is slow to encrypt large messages. We usually
use symmetric key cipher, such as DES, to encrypt large messages. When we
start to encrypt the content of a configuration file,
Firstly, it will find the RSA key container according to the key name
specified in <EncryptedData><EncryptedKey><KeyInfo><KeyName> node.
Secondly, it randoms a DES key and use the public key from the key
container to encrypt the DES key. Then store the encrypted result in the
node <EncryptedData><KeyInfo><<EncryptedKey><CipherData>
Lastly, it uses the DES key to encrypt the configuration information.

When we decrypt the configuration information,
Firstly, it will find the RSA key container according to the key name
specified in <EncryptedData><EncryptedKey><KeyInfo><KeyName> node.
Secondly, it use the private key to decrypt the encrypted DES key.
Lastly, it uses the DES key to decrypt the configuration information

For more information, please refer to the page
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html

Please let me know if you have any other concerns, or need anything else.

Sincerely,
Jialiang Ge (jialge@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support

==================================================
For MSDN subscribers whose posts are left unanswered, please check this
document: http://blogs.msdn.com/msdnts/pages/postingAlias.aspx

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express/Windows Mail, please make sure
you clear the check box "Tools/Options/Read: Get 300 headers at a time" to
see your reply promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: CAPI and RC4: can not decrypt when Final parameter is set to F
    ... to store ASYMMETRIC key pairs - never symmetric keys like RC4, ... Now when you need to encrypt at one place and decrypt at the other normally ... Get a HCRYPTPROV handle to a key container with CryptAcquireContext ...
    (microsoft.public.platformsdk.security)
  • Re: Decrypt RSA using D
    ... We are planning on using RSA with WSE, so it only uses RSA to encrypt the symmetric key used for the SOAP body--the same scenario you outlined below. ... owner of the private key can decrypt it. ... always embedded inside the CSP key container and never passed out into the ...
    (microsoft.public.dotnet.framework)
  • Re: Unable to create virtual directory from file
    ... the exported configuration file has never been encrypted -- you ... will always get a valid XML file for export. ... What "encrypt configuration ... I'm trying to export/import a virtual directory in IIS6 running on a Windows ...
    (microsoft.public.inetserver.iis)
  • Re: CryptMsgControl Error
    ... Since we can still encrypt and decrypt new files, the key container ... Certificate is available on the store. ...
    (microsoft.public.platformsdk.security)
  • Re: Error with Encrypting identity section of web.config
    ... You cannot use protected configuration to encrypt the configProtectedData section of a configuration file. ... You also cannot use protected configuration to encrypt the configuration sections that do not employ a section handler or sections that are part of the managed cryptography configuration. ...
    (microsoft.public.dotnet.framework.aspnet.security)