Encrypting externally stored App blocks with exportable Key Provider

Topics: Building and extending application blocks, Cryptography Application Block, Enterprise Library Core, General discussion
Dec 19, 2008 at 11:17 AM
Edited Dec 22, 2008 at 9:28 AM

Hi all,

I have been trying for quite a while to figure out how to encrypt Application blocks that are stored in an external file called dev_entlib.config

I can see in entlib (4.1) that it's possible to use the default protection providers to encrypt the blocks but, I really need to deploy this Application on different servers and thus I would need to export the keyProvider used to encrypt the application blocks to those servers.

What I've done so far is to add a custom Protected Configuration Provider to the machine.config file in the .net v2.0* whatever folder (and all the target servers)

the custom provider is like this

<add name="MyCompanyProvider" 
          System.Configuration, Version=, Culture=neutral,

useMachineContainer="true" />

that sits nicely beside the other default providers and even has design time support in the Entlib config tool. I then choose the protection provider for each block I want to encrypt.

Looking at the dev_entlib.config, shows that indeed the block was encrypted with my provider. My provider uses my key container. Therefore the block should be encrypted using my key container. I then Export "MyKey" to an xml file using:

c:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -px "MyKey" "C:\keys.xml" -pri
Exporting RSA Keys to file...

This key file is then copied to my sysTest server where it is imported and has access rights granted to "NT Authority\Network Services" and "ASPNET"

I then copy over my encrypted web.config and dev_entlib.config and try to display the connection strings in a small page which uses .net ConfigurationManager to get the ConnectionStrings collection and display them on the page. This page is running under IIS and the identity of the process is "NT Authority\Network Services".

The problem is, that it doesn't work! There are bad data errors or "failed to decrypt using provider MyCompanyProvider".

This approach seems to make logical sense to me but it still fails.

Does anyone have another suggestions?

Dec 22, 2008 at 10:03 AM
See if you missed any of the steps mentioned here... http://msdn.microsoft.com/en-us/library/ms998283.aspx#paght000006_webfarmscenarios

Sarah Urmeneta
Global Technology & Solutions
Avanade, Inc.
Dec 22, 2008 at 1:19 PM
I have followed the guide exactly and I get the correct results only when the configuration block is in the Web.Config itself and when I use the command line to encrypt the blocks.

I would like to be able to make use of the configuration tool to encrypt the app config blocks which reside in my File configuration source file; entlib.config.

I had read, that by adding a custom protection provider to the machine.config I could get design time support for the config tool. This does work and when I choose my Provider from the DropDown, the selected block is encrypted. When I export the key use to encrypt the block to a different server, there seems to be some kind of inconsistency that leads to my "Bad Data" problems.

If I can't use the config tool, is there anyway that I can encrypt the sections without actually doing everything in the web.config and pasting the encrypted results into an external file?
Sep 7, 2009 at 10:12 AM

great thanks for your detailed description of the custom provider.

i've followed your instructions with one tiny difference: i also put the xml-code for the custom provider in the machine.config file on the second pc and it works. i guess the problem was that the application block had no info about the containername.


so at last your problem seems to be solved, even with some months delay.