Web Farm Scenario
You can use RSA encryption in Web Farms because you can export RSA keys. You need to do this if you encrypt data in a Web.config file prior to deploying it to other servers in a Web Farm. In this case, the private key required to decrypt the data must be exported and deployed to the other servers.
Note: Assuming we have a SharePoint web application at port 8008 and we need to encrypt the <appSettings> section, having key APP_KEY valued as APP_VALUE.
In Source front end server
Use the following procedure:
- Run the following command form the command prompt to create a custom RSA encryption key:
aspnet_regiis -pc “CustomKeys” –exp
If the command is successful, you will see the following output:
Creating RSA Key container…
Succeeded!
- Add the following new section to the web.config at port 8008.
- <configProtectedData>
- <providers>
- <add keyContainerName="CustomKeys"
- useMachineContainer="true"
- description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
- name="CustomProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
- </providers>
- </configProtectedData>
- Run the following command in the command prompt.
aspnet_regiis -pef “appSettings” C:\inetpub\wwwroot\wss\VirtualDirectories\8008″ -prov “CustomProvider”.
If the encryption is successful, you will see the following output:
Encrypting configuration section...
Succeeded!
Note: This step will encrypt the appSettings section. Remember, you don't need to worry about the .NET code fetching data from the appSettings section. There will not be any change.
- Grant access to the ASP.NET application pool identity. Run the following command in the command prompt.
aspnet_regiis -pa “CustomKeys” “domainname\username”
Here, domainname\username is the application pool administrator.
- Run the following command from a .NET command prompt to export the custom RSA encryption key.
aspnet_regiis -px “CustomKeys” “C:\CustomKeys.xml” -pri
- Now transfer the CustomKeys.xml and web.config files to another front-end server.
In Destination front end server
Use the following procedure:
- Deploy the application and the encrypted Web.config file onto this server computer. Also copy the CustomKeys.xml file to a local directory on the other server, for example to the C:\ directory.
- In Web.config, basically you need to add a new section and replace the encrypted section (for example In this case, replace <appSettings> with the encrypted one and add the following new section).
- <configProtectedData>
- <providers>
- <add keyContainerName=”CustomKeys”
- useMachineContainer=”true”
- description=”Uses RsaCryptoServiceProvider to encrypt and decrypt”
- name=”CustomProvider” type=”System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
- </providers>
- </configProtectedData>
- On the destination server, run the following command from a command prompt to import the custom RSA encryption keys:
aspnet_regiis -pi “CustomKeys” “C:\CustomKeys.xml”
If the command is successful, you will see the following output:
Importing RSA Keys from file…
Succeeded!
Note: After you have finished exporting and importing the RSA keys, it is important (for security reasons) to delete the CustomsKeys.xml file from both machines.
How to use in the application
- Add the following Default.aspx Web page to your application's virtual directory and then browse to this page to verify that the encryption and decryption is working correctly.
- <%@ Page Language=”C#” %>
- <script runat=”server”>
- protected void Page_Load(object sender, EventArgs e)
- {
- Response.Write(“AppSetting value is: ” +
- ConfigurationManager.AppSettings
- [“APP_KEY “].toString());
- }
- </script>
- <html>
- <body/>
- </html>
Output:
AppSetting value is: APP_VALUE