问题描述
如果开发人员在自己的机器上使用 RSAProtectedConfigurationProvider 加密连接字符串 app.config 部分,然后将其部署到用户的工作站,那么该用户的工作站(或服务器,就此而言)是否可以自动解密连接字符串?
If a developer encrypts a connection string app.config section using RSAProtectedConfigurationProvider on their own machine, and this is subsequently deployed to a user's workstation, can that user's workstation (or server, for that matter), decrypt the connection string automatically?
是否需要某种密钥导出/安装?这是如何运作的?我意识到它不是万无一失的.我正在寻找有关部署是否容易和/或使用此类加密连接字符串的建议.
Would some kind of key export/installation be required? How does this work? I realize that it's not bulletproof. I'm looking for advice on whether or not the deployment would be easy and/or work with such an encrypted connection string.
推荐答案
这是可能的.有 API 可以做到这一点(查看 System.Security.Cryptography 命名空间),或者您可以从命令行使用 aspnet_regiis:
It is possible. There are APIs to do it (look at the System.Security.Cryptography namespace), or from the command line you can use aspnet_regiis:
aspnet_regiis -pc -exp : create an exportable key pair
aspnet_regiis -px : export an RSA key pair to an XML file
aspnet_regiis -pi : import an RSA key pair from an XML file
aspnet_regiis -pa : add access for an account to a key container
当然,在使用加密时,您只是将保护数据(您的连接字符串)的问题替换为保护密钥的问题.
Of course, when using encryption, you are simply substituting the problem of protecting data (your connection string) by a problem of protecting the key.
在您的示例中,正如您所知道的,因为您说您知道它不是防弹的,所以用户将需要访问密钥容器,以便能够解密加密的连接字符串.
In your example, as you are aware since you say you know it's not bulletproof, the user will need to have access to the key container so will be able to decrypt the encrypted connection string.
此外,任何获得包含导出密钥对的 XML 文件的人都可以这样做.
In addition, anyone who gets hold of the XML file containing the exported key pair will be able to do so.
更新
部署过程类似于:
- 在开发人员工作站上创建可导出的密钥 (aspnet_regiis -pc -exp)
- 使用此密钥加密开发人员工作站上的配置部分
- 将密钥导出到 XML 文件 (aspnet_regiis -px)
- 将 XML 文件复制到目标机器
- 从目标机器上的 XML 文件导入密钥 (aspnet_regiis -pi)
- 授予用户帐户对目标计算机上的密钥的读取权限 (aspnet_regiis -pa)
使用受保护的配置提供程序(例如 RSAProtectedConfigurationProvider)加密的部分将自动解密,前提是运行应用程序的 Windows 身份对 RSA 密钥容器具有读取权限.
Sections encrypted using a protected configuration provider such as RSAProtectedConfigurationProvider will be decrypted automatically, provided the Windows identity under which the application is running has read permission for the RSA key container.
这篇关于部署通过 app.config 中的 RSAProtectedConfigurationProvider 加密的连接字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!