Appendix E - Encrypting Configuration Files

Enterprise Library supports encryption of configuration information. Unless your server is fully protected from both physical incursion and remote incursion over the network, you should consider encrypting any configuration files that contain sensitive information, such as database connection strings, passwords and user names, or validation rules.

You can select any of the encryption providers that are included in your system's Machine.config file. Typically, these are the DataProtectionConfigurationProvider, which uses the Microsoft® Windows® Data Protection API (DPAPI), and the RsaProtectedConfigurationProvider, which uses RSA. The settings for these providers, such as where keys are stored, are also in the Machine.config file. You cannot edit this file with a configuration tool; instead, you must modify it using a text editor or an operating system configuration tool.

As an example of the effect of this option, the following is a simple unencrypted configuration for the Data Access block.

<dataConfiguration defaultDatabase="Connection String" />
<connectionStrings>
 <add name="Connection String"
      connectionString="Database=TheImportantOne; Server=WEHAVELIFTOFF;
                        User ID=secret; Password=DontTellNE1"
       providerName="System.Data.SqlClient" />
</connectionStrings>

When you specify the DataProtectionConfigurationProvider option, the resulting configuration section looks like the following.

<dataConfiguration 
      configProtectionProvider="DataProtectionConfigurationProvider">
 <EncryptedData>
  <CipherData>
   <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAc8HVTgvQB0quQI81ya0uH
      yTmSDdYQNdiSohA5Fo6bWOqhOR5V0uxdcfNUgKhUhuIAhl5RZ8W5WD8M2CdMiqG
      ...
      JyEadytIBvTCbmvXefuN5MWT/T
   </CipherValue>
  </CipherData>
 </EncryptedData>
</dataConfiguration>
<connectionStrings
       configProtectionProvider="DataProtectionConfigurationProvider">
 <EncryptedData>
  <CipherData>
   <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAc8HVTgvQB0quQI81ya0uH
      ...
      zBJp7SQXVsAs=</CipherValue>
  </CipherData>
 </EncryptedData>
</connectionStrings>

If you only intend to deploy the encrypted configuration file to the server where you encrypted the file, you can use the DataProtectionConfigurationProvider. However, if you want to deploy the encrypted configuration file on a different server, or on multiple servers in a Web farm, you should use the RsaProtectedConfigurationProvider. You will need to export the RSA private key that is required to decrypt the data. You can then deploy the configuration file and the exported key to the target servers, and re-import the keys. For more information, see "Importing and Exporting Protected Configuration RSA Key Containers" at http://msdn.microsoft.com/en-us/library/yxw286t2(VS.80).aspx.

Of course, the next obvious question is "How do I decrypt the configuration?" Thankfully, you don't need to. You can open an encrypted file in the configuration tools as long as it was created on that machine or you have imported the RSA key file. In addition, Enterprise Library blocks will be able to decrypt and read the configuration automatically, providing that the same conditions apply.



Show: