.net 在 web.config 中加密 appSettings
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/54200/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Encrypting appSettings in web.config
提问by Mauro
I am developing a web app which requires a username and password to be stored in the web.Config, it also refers to some URLs which will be requested by the web app itself and never the client.
我正在开发一个 web 应用程序,它需要将用户名和密码存储在 web.Config 中,它还引用了一些将由 web 应用程序本身而不是客户端请求的 URL。
I know the .Net framework will not allow a web.config file to be served, however I still think its bad practice to leave this sort of information in plain text.
我知道 .Net 框架不允许提供 web.config 文件,但是我仍然认为将此类信息以纯文本形式保留是不好的做法。
Everything I have read so far requires me to use a command line switch or to store values in the registry of the server. I have access to neither of these as the host is online and I have only FTP and Control Panel (helm) access.
到目前为止我读过的所有内容都要求我使用命令行开关或将值存储在服务器的注册表中。我无法访问这些,因为主机在线,我只能访问 FTP 和控制面板(掌舵)。
Can anyone recommend any good, free encryption DLL's or methods which I can use? I'd rather not develop my own!
谁能推荐我可以使用的任何好的、免费的加密 DLL 或方法?我宁愿不开发自己的!
Thanks for the feedback so far guys but I am not able to issue commands and and not able to edit the registry. Its going to have to be an encryption util/helper but just wondering which one!
感谢到目前为止的反馈,但我无法发出命令,也无法编辑注册表。它必须是一个加密实用程序/助手,但只是想知道是哪一个!
回答by aku
- Encrypting and Decrypting Configuration Sections(ASP.NET) on MSDN
- Encrypting Web.Config Values in ASP.NET 2.0on ScottGu's blog
- Encrypting Custom Configuration Sectionson K. Scott Allen's blog
- MSDN 上的加密和解密配置节(ASP.NET)
- ScottGu博客上的ASP.NET 2.0 中的加密 Web.Config 值
- 在 K. Scott Allen 的博客上加密自定义配置部分
EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSectionmethod.
编辑:
如果您不能使用 asp 实用程序,您可以使用SectionInformation.ProtectSection方法加密配置文件。
Sample on codeproject:
代码项目示例:
Encryption of Connection Strings inside the Web.config in ASP.Net 2.0
回答by Matt
While on the first glance it seems to be straightforward, there are a couple of hurdles I encountered.
虽然乍一看似乎很简单,但我遇到了一些障碍。
So I am providing steps that worked fine for me (to encrypt the appSettingssection) using the default crypto provider:
所以我提供了使用默认加密提供程序对我有用的步骤(加密appSettings部分):
Encryptsections in the web.config:
加密web.config 中的部分:
- Open Admin command shell (run as administrator!). The command prompt will be on
C:which is assumed for the steps below.
Further assumed is that the application is deployed onD:\Apps\myApp- replace this by the path you're using in step 3. cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319", on 32 bit Windows systems useFrameworkinstead ofFramework64cd /D "D:\Apps\myApp"
Note:The/Dswitch will change the drive automatically if it is different from your current drive. Here it will change the path and drive, so the current directory will beD:\Apps\myAppafterwards.c:aspnet_regiis -pef appConfig .
- 打开管理命令外壳(以管理员身份运行!)。命令提示符将位于
C:下面的步骤中。
进一步假设应用程序已部署在D:\Apps\myApp- 将其替换为您在步骤 3 中使用的路径。 cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319", 在 32 位 Windows 系统上使用Framework而不是Framework64cd /D "D:\Apps\myApp"
注:该/D交换机会自动更改驱动器如果是从当前驱动器不同。在这里它会改变路径和驱动器,所以当前目录将在D:\Apps\myApp之后。c:aspnet_regiis -pef appConfig .
You should see this message:
您应该会看到此消息:
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Encrypting configuration section... Succeeded!
Microsoft (R) ASP.NET RegIIS 版本 4.0.30319.0 管理实用程序,用于在本地计算机上安装和卸载 ASP.NET。版权所有 (C) 微软公司。版权所有。加密配置部分...成功!
You can also Decryptsections in the web.config:
These are the same steps, but with option -pdfinstead of -peffor aspnet_regiis.
您还可以解密web.config 中的部分:这些步骤相同,但使用选项-pdf而不是-pefaspnet_regiis。
It is also possible to encrypt other sections of your web.config, for example you can encrypt the connection stringssection via:
也可以加密 web.config 的其他部分,例如,您可以通过以下方式加密连接字符串部分:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
More details about that can be found here.
Note:The encryption above is transparentto your web application, i.e. your web application doesn't recognize that the settings are encrypted.
You can also choose to use non-transparentencryption, for example by using Microsoft's DPAPI or by using AESalong with the Framework's AES Class.
How it is done with DPAPII have described here at Stackoverflow. DPAPI works very similar in a sense that it uses the machine's or user credential's keys. Generally, non-transparent encryptiongives you more control, for instance you can add a SALT, or you can use a key based on a user's passphrase. If you want to know more about how to generate a key from a passphrase, look here.
注意:上述加密对您的 Web 应用程序是透明的,即您的 Web 应用程序无法识别设置已加密。
您还可以选择使用非透明加密,例如使用 Microsoft 的 DPAPI 或将AES与框架的AES Class一起使用。
它是如何使用DPAPI完成的,我已经在 Stackoverflow 中进行了描述。DPAPI 的工作原理非常相似,因为它使用机器或用户凭据的密钥。通常,非透明加密为您提供更多控制权,例如您可以添加 SALT,或者您可以使用基于用户密码的密钥。如果您想了解有关如何从密码短语生成密钥的更多信息,请查看此处。
回答by Mohamed Eldefrawy
- Publish your project
- Open Developer command Prompt as Administrator
- use this command asp_rigiis -pef "appSettings" "C:\yourPublishPath" -prov "DataProtectionConfigurationProvider"
- 发布您的项目
- 以管理员身份打开开发人员命令提示符
- 使用此命令asp_rigiis -pef "appSettings" "C:\yourPublishPath" -prov "DataProtectionConfigurationProvider"
回答by Robert S.
Use aspnet_setreg.exe http://support.microsoft.com/kb/329290
使用 aspnet_setreg.exe http://support.microsoft.com/kb/329290
