none
aspnet_regiis: Delete a key container on a machine, then try to reimport keys

    Question

  • Yesterday on our build machine, I created a key container and exported the keys to a file using the aspnet_regiis.exe program (from the v2.0.50727 framework directory).  The commands I used were

        * aspnet_regiis -pc FlightlineKeyContainer –exp
        * aspnet_regiis -px FlightlineKeyContainer FlightlineKeyContainer.xml –pri

    I could successfully encrypt sections of my app.config on the build machine.  Using the xml file, I imported the keys to a different machine, which could then successfully read the file.

    As an experiment, I then deleted the key container on the build machine, using the command 'aspnet_regiis -pz FlightlineKeyContainer'

    Interestingly enough, I found when I deleted the key container, I receive no error encrypting the file, however the 2nd machine could no longwe read the encrypted file.

    Now I've tried to reimport the keys to the machine, but I'm getting an error.  To import, I'm using the command 'aspnet_regiis -pi FlightlineKeyContainer FlightlineKeyContainer.xml –pri' (I've tried with and without the -pri option)

    When I import, I get the following output:

    Importing RSA Keys from file

    Access is denied

    Failed!


    Is it not valid to import the same keycontainer that has been deleted?  Did the delete not really clean everything up?  Is there a way I can get around this?  I'd rather not go through the process of creating a different key container name.

    I can see a file 'C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys' with yesterday's date on it - I've thought about deleting that file, but am not sure if that is something I should be doing.

    Thanks,

    Beth
    Thursday, April 29, 2010 3:35 PM

Answers

  • I deleted the file 'C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys' that had the date/time from when I originally created the key container.  Once I did that, I was able to successfully import the same keys from the key file.

    The encrypted file was then able to be successfully be decrypted on a machine that previously had those same keys imported.

    So I guess just running the command to delete the key container isn't enough to be able to re-use the same keys and key container name on the same machine.

    Thanks,

    Beth

     

    • Marked as answer by Beth Monday, May 03, 2010 2:33 PM
    Thursday, April 29, 2010 9:34 PM

All replies

  • ProtectSection method will call the crypto provider which will in turn automatically recreate the key container if it doesn't exist.

    You can test delete
    aspnet_regiis -pz FlightlineKeyContainer
    If the key exists it should tell you it successfuly deleted the key container, otherwise it should tell you key not found. After you delete the key, try to run ProtectSection again. The key will be recreated. If you try to delete again, it will succeed.

    However the newly created key container only has the same name in common with the old container.  The keys are different and any data encrypted with the old key cannot be decrypted with the new key and vice versa (even though they have the same name).

    However the key container automatically created by the crypto provider will not have the private key exportable (as with -pc -exp option). So you will not be able to export the private key with -px -pri.

     

    Thursday, April 29, 2010 4:25 PM
  • I guess I am still confused.

    Should I be able to delete the key container on the machine that originally created it, then use the file that was created during the export process (including the private key) to create the key container with the same name and same key data?

    1. Create key container, making sure the key is exportable
    2. Export the key, including private key to a file
    3. Delete the key container
    4. Import the key using the file created from step 2, making it exportable

    All steps performed using the aspnet_regiis command.

    The machine does not have the key container - when I run the delete command now, it returns "Failed! Keyset does not exist".  Yet if I try to import the key using the same keycontainer name I receive an "Access is denied" error.

    Thanks,

    Beth

     

    Thursday, April 29, 2010 6:27 PM
  • I deleted the file 'C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys' that had the date/time from when I originally created the key container.  Once I did that, I was able to successfully import the same keys from the key file.

    The encrypted file was then able to be successfully be decrypted on a machine that previously had those same keys imported.

    So I guess just running the command to delete the key container isn't enough to be able to re-use the same keys and key container name on the same machine.

    Thanks,

    Beth

     

    • Marked as answer by Beth Monday, May 03, 2010 2:33 PM
    Thursday, April 29, 2010 9:34 PM
  • Actually, the corresponding key file under the MachineKeys folder is supposed to be deleted automatically when you run command 'aspnet_regiis -pz FlightlineKeyContainer'.

    Not sure what happened on your machine, but you may use Process Monitor to find out why the key file is not deleted, you can use filter like this:

        Process Name is aspnet_regiis.exe

        Path is C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Friday, April 30, 2010 7:10 AM
  • Hi,

    How about the issue status?


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Monday, May 03, 2010 1:58 AM
  • Late answer, but I've got the same problem and I've solved it.

    For me, I didn't had any writeaccess to the folder 'C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys'. So I just gave me writeaccess (modify) on that folder and after that it worked . 

     

    Maybe it can help someone ;)

    Wednesday, March 30, 2011 11:26 AM