Issue in using Cryptography application block on Azure Web Role


  • **Problem :** 
    On Azure, randomly cryptography blocks fails to decrypt the password, and web role restart is required to regenerate the Protected Key to make it work. 

    **Scenario :**
    In one of my application(web role on azure), I am using Cryptography Application Block to encrypt and decrypt passwords. I am using a symmetric algorithm provider - 3DES.

    I am using Application_Start in Global.asax Event to set Cryptography Settings. Basically, it uses a combination of export key and a Protected Key. Export Key is used once to generate the Protected Key which is then used to Encrypt and Decrypt password.

    Code for registering the Cryptography settings 

         /// <summary>
                /// Registers and configures cryptography settings at the application start event. 
                /// </summary>
                public static void RegisterCryptographySettings()
                    ConfigurationSourceBuilder configBuilder = new ConfigurationSourceBuilder();
                    string keyFile = Path.Combine(InternalKeys._INTERNAL_SECURITYKEY_PATH, InternalKeys._SECURITYKEYFILE);
                        .WithOptions.UseKeyFile(keyFile, DataProtectionScope.LocalMachine);
                    DictionaryConfigurationSource configSource = new DictionaryConfigurationSource();
                    EnterpriseLibraryContainer.Current = EnterpriseLibraryContainer.CreateDefaultContainer(configSource);
                /// <summary>
                /// Checks if the encryption key file is present; 
                /// If not, will try to restore the key file from the exported (and encrypted) key information file.
                /// </summary>
                private static void ValidateEncryptionKeyFile()
                    string keyFile = Path.Combine(InternalKeys._INTERNAL_SECURITYKEY_PATH, InternalKeys._SECURITYKEYFILE);
                    if (!File.Exists(keyFile))
                        // KeyFile does not exist, server may have been moved. So try to restore it from an exported Key.
                        string importFile = Path.Combine(InternalKeys._INTERNAL_SECURITYKEY_PATH, InternalKeys._KEYIMPORTFILE);
                        if (!File.Exists(importFile))
                            // TODO: add this to resource files
                            throw new Exception("Security is not configured correctly. Please contact your Administrator.");
                        using (FileStream importKeyFileStream = File.Open(importFile, FileMode.Open, FileAccess.Read))
                            ProtectedKey key = KeyManager.RestoreKey(
                            using (FileStream restoreKeyStream = File.Open(keyFile, FileMode.Create))
                                KeyManager.Write(restoreKeyStream, key);

    Apart from the use of export key, I am quite sure that generation of Protected key has some machine element as well.

    So In short, I am looking for :

    Q 1 ) What Machine element does Cryptography uses to generate the Protected Key ?

    Q 2 ) What should I do at web role level to make sure that particular machine element remains static across deployments and azure auto level changes.
    Monday, September 23, 2013 1:05 AM


All replies

  • hi,

    I think you could add those code in web may overcome your Q2.

    And i guess "Cryptography uses to generate the Protected Key" when use access this website,it will generate this key.So I suggest you may need write this function in web role.

    Monday, September 23, 2013 2:28 PM
  • You need to ask the question on a cryptography forum to find "What Machine element does Cryptography uses to generate the Protected Key". Different algorithms may vary. But many of them use machine key. And you can configure so all instances of a web role use the same machine key. See for a sample.

    Tuesday, September 24, 2013 1:44 AM
  • Well I need to see the source of Enterprise Library to see how it works. But the link that you've put in relates to Azure 1.3, and I am already on 2.1. 
    Tuesday, September 24, 2013 3:24 AM
  • Yes, in SDK 2.1, you can just specify the machine key in web/app.config. But you still need to do that explicitly so all instances of the same role will use the same machine key.
    Tuesday, September 24, 2013 3:29 PM
  • Can you please post this to the Enterprise Library forum at: This is the preferred feedback and support channel for such issues.

    The article( applies to 1.3, but you can verify if the machineKey you are intending to use is the one being used or not using the last step in that article.

    To verify that the machine key is updated, execute the following snippet within the site’s application and observe that the output matches the value for validationKey as set in the web.config files in the previous step.

    var machineKey = (MachineKeySection) ConfigurationManager.GetSection("system.web/machineKey");

    Tuesday, September 24, 2013 7:56 PM