问题
I'm planning to encrypt the connection strings of a web configuration file belonging to an application which will be run in a server farm. I am aware of the aspnet_regiis command line tool to encrypt the sections using it. But I have some doubts, which I expect you guys can solve.
My question is that if I encrypt the connectionstrings and the web.config file is stolen by some hacker, will he be able to decrypt it using the same command line with -pe switch? The same is shown below.
- My Servers, My Web.Config, Not Encrypted (I created pure web config)
- My Servers, My Web.config, Encrypted (I encrypted web config)
- Someone's server, My web.config, Encrypted (Someone stole my web config)
Is he able to decrypt using the same commandline like
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"
回答1:
Jon Galloway has an interesting method of handling this situation on his blog: http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
The post is referring to an app.config, but the same should apply to a web.config as well.
EDIT: I guess that I answered before fully realizing what you were asking. My apologies if the referenced blog is of no assistance.
EDIT2: In response to the actual question, the answer is maybe. The hacker would be able to decrypt your web.config if he had access to the encryption key information. According to MSDN (http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx):
To decrypt and encrypt a section of the Web.config file, the ASP.NET process must have permission to read the appropriate encryption key information.
来源:https://stackoverflow.com/questions/21271381/asp-net-web-config-encryption-security