加密、解密web.config文件（针对某些要加密的字段加密、解密）

1. Description:[/b]

The we put user name and password directly in web.config. if
the hacker attacked the web site, these important information will be unsafe.
So we should encrypt important information to keep mind. Even the hacker
attacked the web site, we can stop it to affect our database any more.

2. What we need to do is:[/b]

Before encrypted：

<connectionStrings> <add name="Pubs" connectionString="Server=localhost;Integrated Security=True;Database=Pubs" providerName="System.Data.SqlClient" /> <add name="Northwind" connectionString="Server=localhost;Integrated Security=True;Database=Northwind" providerName="System.Data.SqlClient" /> </connectionStrings>

What we need to do：

<connectionStrings> <EncryptedData> <CipherData> <CipherValue>AQAAANCMndjHoAw...</CipherValue> </CipherData> </EncryptedData> </connectionStrings>

3. Methods:[/b]

There are two different ways to fulfill this:

3.1. Use default RSA secret key
container.

3.2. Custom our own RSA secret key container, but in this way, we need to set
access privileges.

4. Steps[/b]

4.1 First, let’s do default setting.[/b]

4.1.1.
Open one notepad, and copy this code in it and save it.

<%@ Page Language="C#" %> <% Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name); %>

Save it as “my.aspx” into your web site and run it. It will
shows “ NT AUTHORITY/NETWORK SERVICE ”

4.1.2.
(Key) run “cmd”, and execute these orders:

cd %windows%/Microsoft.NET/Framework/versionNumber aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITYNETWORK SERVICE"

Description:

NetFrameworkConfigurationKey
is RsaProtectedConfigurationProvider’s default provider key。

4.1.3. Now, let’s encrypt web.config, run:

aspnet_regiis -pe "connectionStrings" -app "/Myweb"

Description:

"connectionStrings" is
what we want to encrypt，"/Myweb"
is web site path.

Decrypt：

aspnet_regiis -pd "connectionStrings" -app "/Myweb"

4.1.4. Then you can use it in your code without decrypting:

... string connstr= ConfigurationManager.ConnectionStrings["myConnstr"].ConnectionString.ToString(); ...

4.2 Of course, we can custom our own RSA secret key container.[/b]

4.2.1. Create
our own secret key container “MyKeys”, run:

aspnet_regiis -pc "MyKeys" -exp

4.2.2. In web.config, put these code in it:

<protectedData> <providers> <add name="MyProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0. 0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d0a3a, processorArchitecture=MSIL" keyContainerName="MyKeys" useMachineContainer="true" /> </providers> </protectedData>

To identify the provider which it is.

4.2.3. This is different with default secret key container; we need to set
access privilege for our own customed provider.

aspnet_regiis -pa "MyKeys" "NT AUTHORITYNETWORK SERVICE"

4.2.4. Now, you can encrypt your web.config:

Encrypt:

aspnet_regiis -pe "connectionStrings" -app "/Myweb" -prov "MyProvider"

Description:

"connectionStrings" is what we want to encrypt，"/Myweb" is web site
path. "MyProvider" is our own customed container.

Decrypt:

aspnet_regiis -pd "connectionStrings" -app "/Myweb" -prov "MyProvider"