none
About SectionInformation.ProtectSection RRS feed

  • Question

  • Hi all,

    I have some questions about SectionInformation.ProtectSection method (not ASP.NET + Aspnet_regiis.exe)

     

    • When used with RsaProtectedConfigurationProvider, what kind of Key container is created? Machine-Level or User-Level?
    • If i understood correctly, Machine-level key container allow everyone, on machine, to use the application with encrypted app.config, right? Porting the app to another machine will make app.config decryption fail (unless the keyocntainer is exported)
    • User-level key containers, on the other side, allow only the user who originally encrypted app.config to decrypt app.config, so that user is the only one allowed to run the application because it0's the only one that have acces to key storage.

    Am I right so far?

    So i guess that using SectionInformation.ProtectSection produces a Machine-level container...but is there a way to force a user-level key container???

    Thursday, March 31, 2011 4:42 PM

All replies

  • Hi, Thank you for your question, we're doing research on this case, it might take some time before we get back to you.
    Eric Yang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, April 4, 2011 7:50 AM
  • ·         1. When used with RsaProtectedConfigurationProvider, what kind of Key container is created? Machine-Level or User-Level?

     

    [ANSWER] This can be queried using the “RsaProtectedConfigurationProvider.UseMachineContainer” property. This property returns true if RsaProtectedConfigurationProvider object is using the machine key container; otherwise it returns false.

     

    ·         2. If I understood correctly, Machine-level key container allow everyone, on machine, to use the application with encrypted app.config, right? Porting the app to another machine will make app.config decryption fail (unless the key-container is exported)

     

    [ANSWER] Key containers can be created in user's profile or machine's. User-level key containers can only be used by the user in which profile the keys have been created, and machine-level key containers can be used by anyone with access to them. Keys are usually in files, so you need to export the key-container if you wish to access the keys from a different machine.

     

    For example, the following command exports the machine-level RSA key container named SampleKeys to the file named “keys.xml” and includes the private key information.

     

    aspnet_regiis -px "SampleKeys" keys.xml -pri

     

    The following command imports a machine-level RSA key container named SampleKeys from the file named “keys.xml”:

     

    aspnet_regiis -pi "SampleKeys" keys.xml

     

    ·         3. User-level key containers, on the other side, allow only the user who originally encrypted app.config to decrypt app.config, so that user is the only one allowed to run the application because it's the only one that have access to key storage.

     

    [ANSWER] Correct. User-level key containers can only be used or accessed by the user in which profile the keys have been created.


    --Trevor H.
    Send files to Hotmail.com: "MS_TREVORH"
    Monday, May 23, 2011 4:47 PM
    Moderator