protectedKeyFilename

Topics: Cryptography Application Block
Jan 12, 2007 at 4:50 PM
Hi - I'm new to the cryptography block so please excuse the "nooby" question. I'm confused about the protectedKeyFilename property. It points to a key file that contains the "key" I typed in. I need to encrypt/decrypt values I'm storing in an Oracle database. But using the Enterprise (Jan 2006) library, what would stop somebody obtaining this key file and decrypting it themselves? I know if I came across a key file, and noticed that they were using "RijndaelManaged", I might be able to decrypt the data.

I hope this makes sense.

Thank you,
Dave
Jan 12, 2007 at 5:10 PM
The Cryptographic Key Wizard, which steps you through creating a key and storing it in a file, encrypts the key file using DPAPI in either machine or user mode. If the user gets access to the file, they shouldn't be able to decrypt it unless they have physical access to the machine or logon credentials of the user that encrypted it. If that is the case, you probably have bigger problems.

Securing the key file is important, so it is recommended that you take any and all steps above this first level of security to keep people from accessing it.

Regards,

Dave

__________________

David Hayden
Microsoft MVP C#
http://www.davidhayden.com/
Jan 12, 2007 at 6:21 PM
Thank you Dave. That makes a lot of sense. On my development box, I have it set at user but on the remote server where the application will run, I have it set at machine. But that opens up other issues in which I posted in another post.

Thanks again for clearing this up for me. The help is greatly appreciated :)
Feb 22, 2007 at 5:36 PM
Edited Feb 22, 2007 at 5:36 PM
David/DZangger, I have a very similar issue I am facing now. I am using the June2005 Enterprise Library and using CMAB to configure some values that needs to be hidden.

I have encypted my custom settings using DPAPI(Machine settings) in my machine and now need to migrate my application and settings to other servers in my environment. How would I create or use my .KEY file to be used in those environments? if I have the key file without DPAPI settings, my web app works, else it fails.

Any suggesions and idea or links are welcome.

thanks in advance.
-Yogesh



DavidHayden wrote:
The Cryptographic Key Wizard, which steps you through creating a key and storing it in a file, encrypts the key file using DPAPI in either machine or user mode. If the user gets access to the file, they shouldn't be able to decrypt it unless they have physical access to the machine or logon credentials of the user that encrypted it. If that is the case, you probably have bigger problems.

Securing the key file is important, so it is recommended that you take any and all steps above this first level of security to keep people from accessing it.

Regards,

Dave

__________________

David Hayden
Microsoft MVP C#
http://www.davidhayden.com/