Enterprise Library 3.1 configure Cryptography

Topics: Cryptography Application Block
Sep 23, 2009 at 11:11 PM

Im using Enterprise Library 3.1 Cryptography. while configuring Cryptography Application Block, under Symmetric Providers I created new Provider "Rijndael" then I created new key by clicking on generate in Cryptographic Key Wizard. when I select Machine Mode its working fine, but when I selected User Mode I got the following error.

Note: mykey.key file is saved under my web application under KEY folder.

Exception Details: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

at line 7:

'Symmetric Providers
Line 7:          Dim encryptedContentsBase64 As String = Cryptographer.EncryptSymmetric("RijndaelManaged", "password")
Line 8:          Response.Write(encryptedContentsBase64)

and here is the related web.config part

    This describes the section of the web.config file that is relevant to our needs.
In our case this tells us that we are ready to use a section called dataConfiguration. The two entries in the type attribute are the class that handles the processing of the web.config file in relation to this section followed by the assembly name to which this refers.
    <section name="loggingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.LoggingSettings, Microsoft.Practices.EnterpriseLibrary.Logging, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <section name="securityCryptographyConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.Configuration.CryptographySettings, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <section name="cachingConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Caching.Configuration.CacheManagerSettings, Microsoft.Practices.EnterpriseLibrary.Caching, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<securityCryptographyConfiguration defaultHashInstance="SHA256Managed">
      <add algorithmType="System.Security.Cryptography.SHA256Managed, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"
        saltEnabled="true" type="Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.HashAlgorithmProvider, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
        name="SHA256Managed" />
      <add algorithmType="System.Security.Cryptography.RijndaelManaged, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"
        protectedKeyProtectionScope="CurrentUser" type="Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.SymmetricAlgorithmProvider, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
        name="RijndaelManaged" />

but I read on the MSDN about TO CREATE A NEW KEY

1. Select Create a new key, and then click Next.
2. Enter the hexadecimal key you want to use or click Generate to create a new key. Click Next.
3. Choose where you want to store the key file. Enter the location or click the ellipsis button (…) and select the location. Click Next.
4. Select either User mode or Machine mode. User mode uses the credentials of the user who is currently logged on to encrypt the key. In machine mode, any user who is logged on can encrypt and decrypt the key. Click Finish.
5. The Key property appears in the right pane of the configuration console. Click the ellipsis button (…) to use the Cryptographic Key Wizard again to generate a different key.


step 4 ..... logged to where ? in my application I dont have login yet.

please help


Sep 24, 2009 at 9:38 AM


Please see this thread: http://www.codeplex.com/entlib/Thread/View.aspx?ThreadId=8379 .

Valiant Dudan
Global Technology and Solutions
Avanade, Inc.

Sep 24, 2009 at 9:17 PM

Hi Dear,

my issue is when I select protectedKeyProtectionScope="LocalMachine" its working fine but when I change the value to be "CurrentUser" I got the above mentioned error
I checked the sample code "QuickStart" it is using "LocalMachine"


Sep 25, 2009 at 3:47 AM

The User mode uses the credentials of the user who is currently logged on to the machine to encrypt the key.  Your asp.net application runs under a different name from that of the logged in user in your machine.

Does your asp.net use impersonation? Check if impersonate=true in your web.config.  By the way, I'm not recommending to set it to true, the decision's up to you.  Just want to show you how the CurrentUser mode works.


Sarah Urmeneta
Global Technology and Solutions
Avanade, Inc.

Sep 27, 2009 at 8:32 AM

thank you for the explanation. I got your point.