Failed to decrypt using provider 'RsaProtectedConfigurationProvider'

Topics: Exception Handling Application Block, Logging Application Block
Dec 8, 2010 at 8:49 AM

HI

I have created a windows application which logs the Exception to my custom database. I am encrypting the connectionstring section using the "RsaProtectedConfigurationProvider" with the help of Enterprises Library Data Access Block Protection mechanism. In my local box everything is fine. I am using Windows 7 for development purpose. When i deployed my files to the Dev server (Win 2008 R2), i am getting the following exception.

Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Bad Data.

What is the possible cause of exception?. Is there any configuration change i need to make in my Dev server ? I am copying relevant sections from my config file. Please Advice.

<configuration>
  <configSections>
    <section name="loggingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.LoggingSettings, Microsoft.Practices.EnterpriseLibrary.Logging, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <section name="exceptionHandling" type="Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Configuration.ExceptionHandlingSettings, Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
  </configSections>
  <loggingConfiguration name="Logging Application Block" tracingEnabled="true"
    defaultCategory="" logWarningsWhenNoCategoriesMatch="true">
    <listeners>
      <add databaseInstanceName="Development" writeLogStoredProcName="WriteLog"
        addCategoryStoredProcName="AddCategory" formatter="Text Formatter"
        listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Database.Configuration.FormattedDatabaseTraceListenerData, Microsoft.Practices.EnterpriseLibrary.Logging.Database, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
        traceOutputOptions="None" type="Microsoft.Practices.EnterpriseLibrary.Logging.Database.FormattedDatabaseTraceListener, Microsoft.Practices.EnterpriseLibrary.Logging.Database, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
        name="CheckCenter Trace Listener" />
    </listeners>
    <formatters>
      <add template="Timestamp: {timestamp}&#xD;&#xA;Message: {message}&#xD;&#xA;Category: {category}&#xD;&#xA;Priority: {priority}&#xD;&#xA;EventId: {eventid}&#xD;&#xA;Severity: {severity}&#xD;&#xA;Title:{title}&#xD;&#xA;Machine: {machine}&#xD;&#xA;Application Domain: {appDomain}&#xD;&#xA;Process Id: {processId}&#xD;&#xA;Process Name: {processName}&#xD;&#xA;Win32 Thread Id: {win32ThreadId}&#xD;&#xA;Thread Name: {threadName}&#xD;&#xA;Extended Properties: {dictionary({key} - {value}&#xD;&#xA;)}"
        type="Microsoft.Practices.EnterpriseLibrary.Logging.Formatters.TextFormatter, Microsoft.Practices.EnterpriseLibrary.Logging, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
        name="Text Formatter" />
    </formatters>
    <categorySources>
      <add switchValue="All" name="CheckCenterClient">
        <listeners>
          <add name="CheckCenter Trace Listener" />
        </listeners>
      </add>
    </categorySources>
    <specialSources>
      <allEvents switchValue="All" name="All Events" />
      <notProcessed switchValue="All" name="Unprocessed Category" />
      <errors switchValue="All" name="Logging Errors &amp; Warnings">
        <listeners>
          <add name="CheckCenter Trace Listener" />
        </listeners>
      </errors>
    </specialSources>
  </loggingConfiguration>
  <exceptionHandling>
    <exceptionPolicies>
      <add name="Exception Policy">
        <exceptionTypes>
          <add type="System.Exception, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
            postHandlingAction="NotifyRethrow" name="Exception">
            <exceptionHandlers>
              <add logCategory="CheckCenterClient" eventId="100" severity="Error"
                title="Error from CheckCenter Client" formatterType="Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.XmlExceptionFormatter, Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                priority="0" type="Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.LoggingExceptionHandler, Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                name="Logging Handler" />
            </exceptionHandlers>
          </add>
        </exceptionTypes>
      </add>
    </exceptionPolicies>
  </exceptionHandling>
  <dataConfiguration configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>CmA+M2f0K4Pc8EUF+vhIMgeKVuRIItM9kwRJPX/84inJQzMfMsGONHvNScrC9j663o6TRNdHKF2dnkwvLaCjWJlg2HjJw8TWwG3LkD1Tou2qOy57suvTNx0qrTxBwm7BHcRZQxLUm5WCrOEtpvIltFcgjf/bMXillEL2YyKYwOw=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>x8ojFlauo4+1Oiu7UDV2+hfmY+xV9KwGe2wU6BeeWffzED1/vLCIvUGyd1BHchIMwNQ1MlL34KlQGi8WGZJCZg==</CipherValue>
      </CipherData>
    </EncryptedData>
  </dataConfiguration>
  <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>bH+aVrDzH9+YMnyUw5jgPggDedYPl0iDMzytM+KcD35PPuczY4Mo9uEMT9xfwYUdXtx+ZXcSaDihIYWOs3NxlOejcA/IOqaNDmIg/9orr82t/hEjCGi6h4ySFoPxllXUZ+6sXoEjlfKbG76m9bBjsX0AdC84rJjKt4FsJmpFZ64=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>Vc7UMXAuHERpnMkLKD8fyQKd9sfIE3PxQ9jA55tcz/kIaTvUaX26BywEIJTVuGrbicnQR9qjjGMuBk3HXwKt+KmWRVcN6LwsZhQHWNwxjL8XZbOtkFOH1ftd0NigPqC4BCNi/Y9gbEuSy+ORLffjT4hu/np9eTKoBJDkME177szJhbkKhyxfcCanfVDN9KbdyOk+2MyPZUo2vKicqdaum+3zSmAqag8xXZH+U281mYdIDepcr67MGAeRZilauI+2nRVC80+0r4WCmLC6tAFx1DBwueY0E52CeEWaF6XvVGQ=</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>
</configuration>

Thanks

Tutumon

Dec 8, 2010 at 7:26 PM

RSA encrypts the data with a key. If you're using the default RSA provider, each machine has a different key. You'll need to copy a common key across both machines.

 

Dec 9, 2010 at 4:21 AM

Hi

Thanks for your mail. Can you provide me any links or docs which helps to generate the separate machine key and deploying that to multiple servers? And can i keep the sections encrypted by the EL Application block or i

need to use aspnet_regiis tool to encrypt the connectionstring section?

Thanks

Tutu

Dec 9, 2010 at 4:37 AM

You can use the section encrypted by Enterprise Library.   Below are the steps on how to use encrypted configuration in other machines and it involves creating a custom RSA key container.  I actually took most of the steps from the MSDN's documentation on this related topic.

Encryption Process:

 1. Create a custom RSA key container by running the following command in the Visual Studio Command Prompt:      
          aspnet_regiis –pc “CustomKeys” –exp


2.  Remove the RSAProtectedConfigurationProvider and add it back again this time, specifying the name of the key container you’ve just created in step #1.

<configProtectedData>
     <providers>
             <remove name="RSAProtectedConfigurationProvider" />
             <add keyContainerName="CustomKeys"   useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt" name="RsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
     </providers>
</configProtectedData> 	

3. Save your configuration file and open it in the Enterprise Library Configuration Tool.

4. Encrypt the configuration section you want by selecting RSAProtectedConfigurationProvider as value for the Protection Provider property.  Save the configuration file.  If you open it in the XML Editor, you should see that it is now encrypted.

Deployment and Importing Process:

5.    Export the custom RSA key container by running the following command: (Use any filename for the xml)
               aspnet_regiis –px “CustomKeys” “C:\CustomKeys.xml” –pri

6. Deploy the configuration file you encrypted and the exported key container (CustomKeys.xml) to the machine where you want to use it.

7. Import the custom RSA key container on the machine by running the following command:
              aspnet_regiis –pi “CustomKeys” “C:\CustomKeys.xml”

And that's it, you should be able to open your configuration using the entlib configuration tool in that machine. 

Let me know if this worked for you.

 

Sarah Urmeneta
Global Technologies and Solutions
Avanade, Inc.
entlib.support@avanade.com

Dec 9, 2010 at 5:40 AM

Hi Sarah

Thanks for your response. I have followed your instruction and that worked well. I have committed one mistake earlier - I was encrypting the file at first and then Adding the configProtectedData section.

Now that issue is resolved.

Thanks

Tutumon & Team

Mar 31, 2011 at 7:37 PM

Hi

I have a similiar problem, I followed the steps but if shows me the following error:

System.Configuration.ConfigurationErrorsException: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider:

Unable to retrive the decryption key.

Below shows the line of configuration file code:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
    </configSections>

    <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
        <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
            xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <KeyName>KEY2</KeyName>
                    </KeyInfo>
                    <CipherData>
                        <CipherValue>YzZxaxuNAgeE6NcczBDZjjuouc6E4n9CYhiNIRdYyOnUY1iRJseNhgyGdg1eo9gK4OhbVMo3YA06h6V6pk0zv3fofP6MbDG/x7dLeAgaTC0HBqasGZ4C/Jb1mACdbd3j58wa/=</CipherValue>
                    </CipherData>
                </EncryptedKey>
            </KeyInfo>
            <CipherData>
                <CipherValue>zo/BOiLGgEm0+M9YM64staSTLHXXRr756VHIJMC/CYZWnv4i0nT98j+LUVUuNVyIlA9SK8mLY83hpi3Oubt8pq7r/UOFPkJFNql72IGbJnKz7511Y2dS1CCc8IocSDHwRYXEqPrVXhRixoc0xLv/onWRsTR7bNfvH4ojKD3qr5itfD3LTEnxfBKu6w1jakMbSazNhdp1QHU5kG4b9D7A==</CipherValue>
            </CipherData>
        </EncryptedData>
    </connectionStrings>
    <system.diagnostics>
        <sources>
            <!-- This section defines the logging configuration for My.Application.Log -->
            <source name="DefaultSource" switchName="DefaultSwitch">
                <listeners>
                    <add name="FileLog"/>
                    <!-- Uncomment the below section to write to the Application Event Log -->
                    <!--<add name="EventLog"/>-->
                </listeners>
            </source>
        </sources>
        <switches>
            <add name="DefaultSwitch" value="Information" />
        </switches>
        <sharedListeners>
            <add name="FileLog"
                 type="Microsoft.VisualBasic.Logging.FileLogTraceListener, Microsoft.VisualBasic, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
                 initializeData="FileLogWriter"/>
            <!-- Uncomment the below section and replace APPLICATION_NAME with the name of your application to write to the Application Event Log -->
            <!--<add name="EventLog" type="System.Diagnostics.EventLogTraceListener" initializeData="APPLICATION_NAME"/> -->
        </sharedListeners>
    </system.diagnostics>

in this part of the code to add the new key

<configProtectedData>
     <providers>
             <remove name="RSAProtectedConfigurationProvider" />
             <add keyContainerName="Key2"   useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt" name="RsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
     </providers>
</configProtectedData> 
</configuration>

the aplplication of visual development 2008 on win vista and when I install it in win 7 apperar above error.

hopefully can help.

grax.I hope to answer.

 



 

 





Apr 1, 2011 at 8:10 AM

Hi,

It's possible that you imported and exported a different key container other than specified on your config file. Can you repeat the process and make sure you are using the same key container?

 

Noel Angelo Bolasoc
Global Technologies and Solutions
Avanade, Inc.
entlib.support@avanade.com