000036274 - How to encrypt sections of an RSA Archer configuration file

Document created by RSA Customer Support Employee on Apr 19, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036274
Applies ToRSA Product Set: Archer
RSA Product/Service Type: Archer
IssueRSA Archer integration code often makes use of .NET configuration files. Web applications use a web.config file and desktop applications use an app.config file that gets renamed when the application is compiled to YourAppName.exe.config.  In each of these cases, it may be necessary to add sensitive information to the config file in order for the application to function properly. Maintaining the security of this information may require the encryption of one or more sections within the file. Microsoft provides a utility to perform this function called aspnet_regiis.exe. This utility is part of the .NET framework and will be found by default at a location similar to the following: C:\Windows\Microsoft.NET\Framework\v4.0.30319. Although this utility is designed for use with web.config files, app.config files share the same format and can also be encrypted with a little bit of additional preparation. 
Tasks

To encrypt sections of a web.config, you only need to run the command. To encrypt sections of an app.config, you’ll need to:



  1. Rename the app.config file to web.config
  2. Encrypt the file
  3. Rename it back to its original name

For example, if I were working with an integration utility called Integration.Console.exe, it would have an app.config called Integration.Console.exe.config. I would have to rename this file to web.config and run the following command:



aspnet_regiis -pef "appSettings" "C:\Dev\Integration.Console\bin\Debug" -prov "DataProtectionConfigurationProvider"



The parameters being used in this call can be clarified with some additional detail.




  

aspnet_regiis


  

  

the name of the utility


  

  

-pef


  

  

Indicates that we’ll be encrypting a section and specifiying a path


  

  

appSettings


  

  

The name of the config section to encrypt


  

  

C:\Dev\…


  

  

The path to the web.config file


  

  

-prov


  

  

Indicates that we’ll specify the encryption provider to use


  

  

DataProtectionConfigurationProvider


  

  

The name of the encryption provider


  


After running this command, if I were to open the web.config file in Notepad++ and visually inspect it, I would see that the contents of the appSettings section are encrypted. This is an example of what an encrypted appSettings section might look like:



<appSettings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAQ/zlSuFJmUOVOhp6D5Ug3AQAAAACAAAAAAADZgAAwAAAABAAAAC+tD7qfphxlBuoMgSCXXc7AAAAAASAAACgAAAAEAAAAF9qmw4nTZdIMxD/mH1GTqYQBAAAieV+5hxppxIln20hwe/1iQdMy9TFoqhl02hDNEdgvL98+p0MSkDqwNdLZbYjLVFn4rANE67Hw+GOVLpn1MNixPgUB6eMf+DguntbbHIERV+KmKAyJNFIV/bdY=</CipherValue>
      </CipherData>
    </EncryptedData>
  </appSettings>



Note that the XML for the configuration section is still human-readable, but the configuration values for that section are now encapsulated inside the <CipherValue> node and are no longer human-readable.
At this point, the file can be renamed back to its original name (in my case that was Integration.Console.exe.config) and the application will run normally using the encrypted config file. .NET will decrypt config files at runtime, so no other changes are necessary. When I need to make changes to one of my encrypted config values, I can simply rename the file to web.config and decrypt it with a command line like this:



aspnet_regiis -pdf "appSettings" "C:\Dev\Integration.Console\bin\Debug"



In order to use aspnet_regiis, you will need to open a command prompt and navigate to a location where it is in your execution path. If you have Visual Studio installed, you can do this easily by opening the Developer Command Prompt from the VS Tools menu in the Visual Studio program group under the start menu. If you’re on a machine that doesn’t have Visual Studio installed, you’ll need to navigate to your .NET framework folder. A typical installation will be in a path similar to C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe.



Once you’re in a location that has aspnet_regiis.exe in its execution path, you’ll be ready to issue the commands outlined above. 



The encryption provider used in this example (DataProtectionConfigurationProvider)will use keys from the machine store, so the user running the application with the encrypted config file does NOT have to be the same user that encrypted it. If you want to use a key from the user store, you will need to make a few additional configuration changes, and the user running the application with the encrypted config file DOES have to be the same user that encrypted it. This article on How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI contains the details. 

If this is an operation you expect to perform regularly, it would be a good idea to encapsulate this operation in a batch file so that it can be performed quickly and easily. A sample encryption batch file might look like this:



@echo off
set frameworkPath=C:\Windows\Microsoft.NET\Framework\v4.0.30319
set originalPath=C:\Dev\pso\Archer\DataFeedMonitor\DataFeedMonitor\bin\Debug
if "%1"=="" ( set originalFileName=DataFeedMonitor.exe.config) else (set originalFileName=%1)
cd %frameworkPath%
echo.
@echo This batch file will encrypt the monitorSection and appSettings sections in %originalPath%\%originalFileName%
@echo Saving original file as %originalPath%\%originalFileName%.original
copy %originalPath%\%originalFileName% %originalPath%\%originalFileName%.original
rename %originalPath%\%originalFileName% web.config
echo.
@echo encrypting appSettings...
aspnet_regiis -pef "appSettings" %originalPath% -prov "DataProtectionConfigurationProvider"
rename %originalPath%\web.config %originalFileName%
pause




A sample decryption batch file might look like this:



@echo off
set frameworkPath=C:\Windows\Microsoft.NET\Framework\v4.0.30319
set originalPath=C:\Dev\pso\Archer\DataFeedMonitor\DataFeedMonitor\bin\Debug
if "%1"=="" ( set originalFileName=DataFeedMonitor.exe.config) else (set originalFileName=%1)
cd %frameworkPath%
echo.
@echo This batch file will decrypt the monitorSection and appSettings sections in %originalPath%\%originalFileName%
@echo Saving original file as %originalPath%\%originalFileName%.original
copy %originalPath%\%originalFileName% %originalPath%\%originalFileName%.original
rename %originalPath%\%originalFileName% web.config
echo.
@echo Decrypting appSettings...
aspnet_regiis -pdf "appSettings" %originalPath%
rename %originalPath%\web.config %originalFileName%
pause



In both cases, you would need to edit the values of frameworkPath and originalPath to point to values appropriate for your environment. After that change, you can encrypt and decrypt your config files with a click of the mouse!

In the event that the configuration section you need to encrypt is a custom section with a custom handler, you will need to ensure that the handler is in the path for aspnet_regiis. For example, if I had a config file with a <myCustomSection> section, there would be a handler registered in the file for it like this: 



<configSections>
    <section name="myCustomSection" type="MyAssembly, MyCustomSection.MyCustomSectionHandler" />
</configSections>



In this declaration, MyAssembly will be the name of the .dll containing the custom handler class. MyCustomSection.MyCustomSectionHandler is the fully qualified class name of the handler. If I wanted to encrypt the corresponding config section, I would need to copy MyAssembly.dll to a location where it is in the path for aspnet_regiis. The .NET framework folder will meet this need, but in order to copy a file to that location, you will need to have administrative privileges.

ResolutionYour config file will contain (encrypted) cipher data representing the values you want to secure. .NET can decrypt these values at runtime, so the application can run normally with this encrypted configuration file. Batch files are in place to decrypt the settings should you ever need to update their values.

Outcomes