Understanding Machine-Level and User-Level RSA Key Containers

The RsaProtectedConfigurationProvider class can use either machine-level or user-level RSA key containers. Microsoft Windows makes machine-level key containers available to all users, whereas a user-level key container is available only to the user that created (or imported) the key container.

User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run under that specific user identity. User-level RSA key containers can be useful if you want to ensure that the RSA key information is removed when the Windows user profile is removed. However, because you must be logged in with the specific user account that will make use of the user-level RSA key container in order to encrypt or decrypt protected configuration sections, they are inconvenient to use.

Machine-level RSA key containers are available to all users that can log in to a computer, by default, and are the most useful as you can use them to encrypt or decrypt protected configuration sections while logged in with an administrator account. A machine-level RSA key container can be used to protect information for a single application, all the applications on a server, or a group of applications on a server that run under the same user identity. Although machine-level RSA key containers are available to all users, they can be secured with NTFS Access Control Lists (ACLs) so that only required users can access them.

Note Note

It is recommended that you only secure sensitive information using protected configuration on file systems formatted using NTFS, so that you can restrict access to encryption key information using ACLs.

As there is little benefit from using user-level RSA key containers, it is recommended that you use machine-level RSA key containers when protecting configuration sections using the RsaProtectedConfigurationProvider provider. When you create an RSA key container to protect configuration information for one or more applications, it is recommended that you restrict the access to the machine-level RSA key container using the Aspnet_regiis.exe tool, with the -pa option to add access to the key for a particular identity and the -pr option to remove access to the key. For more information on how to set or determine the identity of an ASP.NET application, see ASP.NET Impersonation. For more information on granting read access to an RSA key container, see Importing and Exporting Protected Configuration RSA Key Containers.

When creating, exporting, importing, or deleting an RSA key container using the Aspnet_regiis.exe tool, you must specify whether the RSA key container is a machine-level key container or a user-level key container. You identify an RSA key container as a user-level key container with the -pku option; otherwise, the RSA key container is considered a machine-level container.