How to deploy when using "RijndaelManaged" cryptography

Topics: Building and extending application blocks, Cryptography Application Block, Enterprise Library Core, Pre-release discussions, Security Application Block
Aug 17, 2011 at 6:23 PM

I created an website that uses Crypto block of Enterprise library.
This is the settings I have in my config file.
      <add name="MyPrj" type="Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.SymmetricAlgorithmProvider, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
        algorithmType="System.Security.Cryptography.RijndaelManaged, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"
        protectedKeyProtectionScope="CurrentUser" />
It all seems to work fine on local machine.
But, when I try to deploy it on remote server. I get errors. Reason what I found is because "MyCrypt.Key" file can't be found at specified location.
This is the StackTrace of error I am getting.
   at Microsoft.Practices.ServiceLocation.ServiceLocatorImplBase.GetInstance(Type serviceType, String key) in c:\Home\Chris\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation\ServiceLocatorImplBase.cs:line 53
   at Microsoft.Practices.ServiceLocation.ServiceLocatorImplBase.GetInstance[TService]() in c:\Home\Chris\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation\ServiceLocatorImplBase.cs:line 90
   at contactus.Submit_Click(Object sender, EventArgs e) in C:\MyWebSite\contactus.aspx.vb:line 87
   at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
   at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
   at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Line that generates the error is:
Dim crypto As CryptographyManager = EnterpriseLibraryContainer.Current.GetInstance(Of CryptographyManager)()
From following post, I have exported the Key file but don't know what to do next?
Could anyone please give me steps for proceeding further and deploying it successfully?

Aug 18, 2011 at 2:51 AM


Like what Sarah has mentioned, you need to import the exported key file. The import option only appears when you add a symetric provider.


Noel Angelo Bolasoc
Global Technologies and Solutions
Avanade, Inc.
Contact Us

Aug 18, 2011 at 6:31 AM


As per Sarah's suggestion, I already exported the file (which happened fine for me.)

Now, using Configuration Tool, where do you want me to import this file - on the development machine or the production server?

I can't do it on production server as the site will be hosted on Shared server where Enterprise Library Configuration tool isn't available to me. In such a condition, is there a workaround?

If you want me to do it on development machine, please confirm, after importing, all I need to do is XCopy the contents and DLLs to remote server, correct?


Aug 18, 2011 at 9:11 AM

I'm afraid it doesn't work that way. The reason is because the key file by design, is encrypted through DPAPI which is a machine specific algorithm. When Entlib exports the key, it removes the DPAPI encryption and encrypts it with another algorithm that requires a password (which is provided by the user). On the import process, it decrypts the exported key (using again the same password for encryption). Finally, the key will be encrypted using the DPAPI specific to that machine. Since you don't have the EntLib Config Tool on the production server, I suggest you create a simple application that will import the key to the target machine. You can refer here for the sample code. Hope this helps.


Noel Angelo Bolasoc
Global Technologies and Solutions
Avanade, Inc.
Contact Us

Aug 18, 2011 at 10:28 AM

Thanks for explanation and forum link.

I can figure out what the code is doing.

Final query, where do I need to put this code, in Global.asax or just prior to line generating the error? Please confirm.

Also, there is a little security concern. Placing Key and exported file isn't a standard practice. Ideally, if I import the export file using EntLib config tool, I won't have to put Key file on server, right? so, is there a way that I need not to put KEY file on production server? 

Aug 19, 2011 at 4:23 AM
Edited Aug 19, 2011 at 5:37 AM

It would be better if you can create a simple utility application that will import the key, so that the password and key file name wouldn't be hardcoded to your code. On your concern regarding key file location, I believe that the path, by design, is limited only to where the application runs (since it encrypts the key through DPAPI). I was thinking of another way, though you need to modify the KeyManager class, so that it won't encrypt and decrypt the key using DPAPI. You can refer to the Entlib Source code on how the KeyManager is implemented. Hope this helps :)


Noel Angelo Bolasoc
Global Technologies and Solutions
Avanade, Inc.
Contact Us