Security deployment?

Topics: Cryptography Application Block, Security Application Block
Mar 31, 2011 at 3:15 AM

I have an application that I have configured security for as:

 <securityCryptographyConfiguration>
  <symmetricCryptoProviders>
   <add name="RijndaelManaged" type="Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.SymmetricAlgorithmProvider, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
    algorithmType="System.Security.Cryptography.RijndaelManaged, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    protectedKeyFilename="C:\Projects\BuySeasonsIT\Source\Brain\Trunk\BuyseasonsServices\CacheKey.key"
    protectedKeyProtectionScope="LocalMachine" />
  </symmetricCryptoProviders>
 </securityCryptographyConfiguration>

The key has been put in the file indicated. Now I want to deploy this application. Since this key has a scope of the machine it needs to be regenerated for each machine that this application is deployed to. Right? How is the best strategy for deploying this file or more correctly this key?

Mar 31, 2011 at 4:06 AM

To deploy the key to other machines, you would need to export the key file using the config tool.  Right click on the symmetric provider and select Export Key and follow the wizard until the key file has been exported.  You can then take the exported key file to the machine where you want to deploy it and import it using again, the entlib configuration tool.  The option to import appears when you add your symmetric provider.  This is also mentioned in the documentation specifically in this topic.

 

Sarah Urmeneta
Global Technologies and Solutions
Avanade, Inc.
entlib.support@avanade.com

Mar 31, 2011 at 3:01 PM

Is there a way to do this without the wizard or UI involved? Particularly the import?

From: AvanadeSupport [email removed]
Sent: Wednesday, March 30, 2011 10:07 PM
To: rkevinburton@charter.net
Subject: Re: Security deployment? [entlib:251896]

From: AvanadeSupport

To deploy the key to other machines, you would need to export the key file using the config tool. Right click on the symmetric provider and select Export Key and follow the wizard until the key file has been exported. You can then take the exported key file to the machine where you want to deploy it and import it using again, the entlib configuration tool. The option to import appears when you add your symmetric provider. This is also mentioned in the documentation specifically in this topic.

Sarah Urmeneta
Global Technologies and Solutions
Avanade, Inc.
entlib.support@avanade.com

Apr 1, 2011 at 3:39 AM

Hi,

Yes, you can programmatically import the key file. Here's a sample code that was posted in this thread:

using Microsoft.Practices.EnterpriseLibrary.Security.Cryptography;

 

private void ImportKeyFile(string fileDirectoryPath)

{

//name of the .key file defined in the configuration file

      string securityKey = "security.key";

 

      //filename of the key file exported using the

      //Enterprise Library Config tool from the encrypting machine

      string exportedKeyFile = "security.txt";

 

      //password that was used to export the key file

      string keyPassword = "password";

 

      bool secure = false;

 

      string importFile = Path.Combine(fileDirectoryPath, exportedKeyFile);

      string keyFile = Path.Combine(fileDirectoryPath, securityKey);

 

      if (!File.Exists(keyFile))

      {

            ProtectedKey key = KeyManager.RestoreKey(File.Open(importFile,  

                                FileMode.Open, FileAccess.Read), keyPassword,  

              System.Security.Cryptography.DataProtectionScope.LocalMachine);

           

            KeyManager.Write(File.Open(keyFile, FileMode.Create), key);

      }

}

 

Noel Angelo Bolasoc
Global Technologies and Solutions
Avanade, Inc.
entlib.support@avanade.com

 


Dec 5, 2011 at 4:48 PM

Can you also EXPORT the key programatically; without relying on the configuration tool?

Dec 6, 2011 at 1:25 AM

The Export basically encrypts the keyfile.  If you want to do it programmatically without using the configuration tool you can use the following code:

using System.IO;
using System.Security.Cryptography;
using Microsoft.Practices.EnterpriseLibrary.Security.Cryptography;
using Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.Configuration.Design;

namespace SecurityExportKey
{
    class Program
    {
        static void Main(string[] args)
        {
            string protectedKeyFilename = @"C:\file.key";
            string outputFilename       = @"C:\output.txt";
            string password             = "entL1b";
            var protectedKeyScope       = DataProtectionScope.LocalMachine;

            ProtectedKeySettings keySettings = new ProtectedKeySettings();

            using (Stream keyFileContents = File.OpenRead(protectedKeyFilename))
            {
                var key = KeyManager.Read(keyFileContents, protectedKeyScope);
                keySettings.ProtectedKey = key;
                keySettings.Scope = protectedKeyScope;
                keySettings.FileName = protectedKeyFilename;
            }

            using (Stream fileOut = File.OpenWrite(outputFilename))
            {
                KeyManager.ArchiveKey(fileOut, keySettings.ProtectedKey, password);
            }
        }
    }
}

 

You'll need to supply the key file, the DataProtectionScope (User/Machine), a password, and the output file.

--
Randy Levy
Enterprise Library support engineer
entlib.support@live.com

May 22, 2013 at 11:06 AM
Hi All,

In Enterprise Library 6.0 cryptography block has been removed. Does anybody know how to replace ProtectedKey and KeyManger using .net 4.5 core cryptography api?


Thanks
mp2013
Nov 22, 2013 at 8:11 PM
I have been looking for this for some time now

I am updating a 2.0 project using

Microsoft.Practices.EnterpriseLibrary.Security.Cryptography

to 4.5 and
<sarcasm>

low and behold MS in their infinite wisdom changed it up without and sample code

I guess no one would ever be FORCED to more from on lib to another

</sarcasm>

this should have taken minutes not a day to figure out


I even checked the docs and it says the calls have been removed

NOT EVEN A

DO IT THIS WAY NOW