Appendix B - Encrypting Configuration Files
Enterprise Library supports encryption of configuration information. Unless your server is fully protected from both physical incursion and remote incursion over the network, you should consider encrypting any configuration files that contain sensitive information, such as database connection strings, passwords and user names, or validation rules.
You can select any of the encryption providers that are included in your system's Machine.config file. Typically, these are the DataProtectionConfigurationProvider, which uses the Windows Data Protection API (DPAPI), and the RsaProtectedConfigurationProvider, which uses RSA encryption. The settings for these providers, such as where keys are stored, are also in the Machine.config file. You cannot edit this file with a configuration tool; instead, you must modify it using a text editor or an operating system configuration tool. You can also define and use new providers with different settings in your application’s configuration file.
|If you deploy your application to Microsoft Azure, you should also carefully consider how to encrypt configuration settings stored in Azure. One approach to consider is using the "Pkcs12 Protected Configuration Provider."|
As an example of the effect of this option, the following is a simple unencrypted configuration for the Data Access block.
<dataConfiguration defaultDatabase="Connection String" /> <connectionStrings> <add name="Connection String" connectionString="Database=TheImportantOne; Server=WEHAVELIFTOFF; User ID=secret; Password=DontTellNE1" providerName="System.Data.SqlClient" /> </connectionStrings>
When you specify the DataProtectionConfigurationProvider option, the resulting configuration section looks like the following.
<dataConfiguration configProtectionProvider="DataProtectionConfigurationProvider"> <EncryptedData> <CipherData> <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAc8HVTgvQB0quQI81ya0uH yTmSDdYQNdiSohA5Fo6bWOqhOR5V0uxdcfNUgKhUhuIAhl5RZ8W5WD8M2CdMiqG ... JyEadytIBvTCbmvXefuN5MWT/T </CipherValue> </CipherData> </EncryptedData> </dataConfiguration> <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider"> <EncryptedData> <CipherData> <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAc8HVTgvQB0quQI81ya0uH ... zBJp7SQXVsAs=</CipherValue> </CipherData> </EncryptedData> </connectionStrings>
If you only intend to deploy the encrypted configuration file to the server where you encrypted the file, you can use the DataProtectionConfigurationProvider. However, if you want to deploy the encrypted configuration file on a different server, or on multiple servers in a Web farm, you should use the RsaProtectedConfigurationProvider. You will need to export the RSA private key that is required to decrypt the data. You can then deploy the configuration file and the exported key to the target servers, and re-import the keys. For more information, see "Importing and Exporting Protected Configuration RSA Key Containers."
Of course, the next obvious question is "How do I decrypt the configuration?" Thankfully, you don't need to. You can open an encrypted file in the configuration tools as long as it was created on that machine or you have imported the RSA key file. In addition, Enterprise Library blocks will be able to decrypt and read the configuration automatically, providing that the same conditions apply.
All links in this book are accessible from the book's online bibliography on MSDN at http://aka.ms/el6biblio.
If you deploy your application to Azure, you should also carefully consider how to encrypt configuration settings stored in Azure. One approach to consider is using the "Pkcs12 Protected Configuration Provider."
For more information on exporting the RSA private key that is required to decrypt the data, see "Importing and Exporting Protected Configuration RSA Key Containers."
- There are resources to help if you're getting started with Enterprise Library, and there's help for existing users as well (such as the breaking changes and migration information for previous versions) available on the Enterprise Library Community Site at http://www.codeplex.com/entlib/.
- For more details about the Enterprise Library Application Blocks, see the Enterprise Library Reference Documentation and the Enterprise Library 6 Class Library.
- You can download and work through the Hands-On Labs for Enterprise Library, which are available at http://aka.ms/el6hols.
- You can download the Enterprise Library binaries, source code, Reference Implementation, or QuickStarts from the Microsoft Download Center at http://go.microsoft.com/fwlink/p/?LinkID=290898.
- To help you understand how you can use Enterprise Library application blocks, we provide a series of simple example applications that you can run and examine. To obtain the example applications, go to http://go.microsoft.com/fwlink/p/?LinkID=304210.