Key Management

Topics: Cryptography Application Block
Apr 22, 2009 at 7:39 PM
Edited Apr 22, 2009 at 7:44 PM
Hi everyone!  Im bringing back an "oldie but a goodie" topic to this discussion forum.. key management.

Here's my scenario, Im on a development team of 4 people, and we are creating ASP .NET applications.  I want to know, what are my options to generate and store Symmetric keys using the Cryptography App Block for all development PC's? 

Additionally, I have 3 environments I need to promote to from development.. test, staging, and production, all of which are meant to host our web applications.  So, in keeping the theme of "sharing keys", what do I\we need to do to promote keys to those three environments as well?  Do we need to install the Ent Lib on our servers to "import" keys?  Is there a cleaner means available?

Sorry if Im missing something glaring here, but I havent been able to nail down a specific option for myself and my team.

thanks!

Just an update, I did stumble upon this thread already - http://www.codeplex.com/entlib/Thread/View.aspx?ThreadId=8379, but Im still searching for some guidance on how to promote, share, import, export keys\secrets among environments.
Apr 23, 2009 at 5:35 AM
Hi,

Reading the documentation and some googling, I came across the "Managing and Distributing Keys" (http://msdn.microsoft.com/en-us/library/dd140078.aspx), which describes how to distribute keys. As the documetation described, you would need to export the key file and manually import it from the target machine. 

Valiant Dudan
Global Technology & Solutions
Avanade, Inc.
entlib.support@avanade.com
Apr 23, 2009 at 3:32 PM
Thanks Avenade!  So, how do I "import" the exported key file?  I did so on another developers PC by using the Ent Lib config tool, do we need to do the same on our servers, or are there built in tools to Server 2K3 and 2K8?  If we need the Ent Lib tool, can I just "copy it", or do we have to install the entire enterprise library on our servers, which we prefer not to do.

Thanks again
Apr 24, 2009 at 3:45 AM

You can use the config tool but if you rather not install it on your server, I think 

aspnet_regiis -pi "CustomKeys" filename

would work.   http://msdn.microsoft.com/en-us/library/ms998283.aspx#paght000006_webfarmscenarios


Sarah Urmeneta
Global Technology & Solutions
Avanade, Inc.
entlib.support@avanade.com

Apr 24, 2009 at 3:51 PM
Thanks again Avenade, but the "pi" option is meant to import an RSA XML file.  The export key feature from the EntLib Config tool generates a text file, making the command incompatible.  Any other thoughts/options?
Apr 24, 2009 at 4:22 PM
Just another question, Ive seen some chatter about storing your encryption value in a SQL table, is that also a viable option?  If so, does it "play nice" with the Cryptography block?  Or does it circumvent most of this process.  If thats the case, Id like to stay as true to the process as possible..
Apr 28, 2009 at 1:58 PM
Hi everyone, just wondering if someone had a conclusion for me on this issue?  I dont think Im alone on this one, but all other research brings me to dead ends. 

On a side note, how would one go about deploying a web application using the cryptography application block on a website hosted by another company?  I ask because I think its a similar question to what Im looking for here, a means to export\import a key, or share a key for that matter, in an environment with limited control over the server.

If theres no way of doing this, thats fine, I think I just need a definitive answer on how to use this application block at this point.
Apr 30, 2009 at 4:04 AM
Hi ewitkows, sorry for the late reply.  Consider the suggestion posted in this thread. -http://www.codeplex.com/entlib/Thread/View.aspx?ThreadId=8379


Sarah Urmeneta
Global Technology & Solutions
Avanade, Inc.
entlib.support@avanade.com
Apr 30, 2009 at 1:29 PM
No problem, I appreciate you following up.

The main point I picked up from that thread was "you must use the Cryptographic Key Wizard on that machine to place it in a file that gets encrypted using DPAPI", stated by "SamTheMan", and it looks like the only way around the tool is to use a deployment tool to automatically create the key upon installation of the software, which certainly doesnt apply or help the scenario's I listed above.

Atleast now I know where this application block comes into play, but personally I guess Im pretty disappointed in the lack of flexibility that this application block has.  I entered a ticket in the feature list, it would be nice if they atleast started to support keys created from a certificate authority or something similar.. fingers crossed.

Thanks for the help