Configuration Protector Product Tour
Introduction
Configuration Protector is a developer tool designed to simplify the task of encrypting
and decrypting configuration file sections during application development. When
a configuration section has been encrypted using a defined protected configuration
provider, the .Net Framework will automatically decrypt it at run time. However,
whilst developing an application you may need to make changes to the settings in
an encrypted section, to add a new value, update an existing value or delete an
existing value. To make changes such as these you will have to manually decrypt
the section, make the change or changes and then encrypt the section again.
The Configuration Protector provides a graphical user interface that enables configuration
sections to be encrypted and decrypted using a point and click technique that reduces
typing and therefore mistakes and speeds up the whole process.
In addition to providing a simple and intuitive user interface for encrypting and
decrypting configuration file sections, the Configuration Protector also provides
a graphical user interface for managing RSA key containers and their keys.
User Interface
The Configuration Protector user interface consists of two main sections:
The Protection section in which you specify the configuration file to encrypt or
decrypt, the protected configuration provider to use when encrypting, the custom
attributes for a protected configuration provider or a custom protected configuration
provider type.
The RSA Key Management section in which you can create an RSA key container, grant
and remove RSA key container access permission, export and import an RSA key container
and delete an RSA key container.
Configuration File Page
The user interface has a navigation pane, on the left, containing the section item
and section sub item navigation links and a content pane, on the right, in which
the page content for a section item or a section sub item is displayed. When you
hover the mouse over a section item or a section sub item in the navigation page,
the text is displayed as a link, click the link to display the item's content page
and if it is a section item expand the section to display the sub items.
When the home content page is displayed there are two section items available, the
Protection section and the RSA Key Management section. Clicking either of these
two section items will display the section page in the content pane and expand the
section to display the item's sub items. Each sub item in a section is a link to
the relevant content page.
Protection Section
To encrypt or decrypt a configuration file section you must specify the relevant
file on the Configuration File page and the relevant section on the Encrypt | Decrypt
page. If you are not using the default protected configuration provider that is
specified in the machine.config file you will also have to specify a provider name
on the Provider page. You may specify custom attributes for the RSA and DPAPI providers
or you may specify your own custom protected configuration provider.
Configuration File Page
Specifies the configuration file containing the section or sections that are to
be encrypted or decrypted and/or the configuration file to save a protected configuration
provider definition to. You can specify and select the following settings for a
configuration file:
- Configuration File Type
-
You can choose to work with either an
app.config or a web.config file. The Configuration
Protector uses the System.Configuration.ConfigurationManager class to load an app.config
file and the System.Web.Configuration.WebConfigurationManager class to load a web.config
file, therefore you are required to specify the type of configuration file that
you want to work with.
Once loaded, the underlying mechanism is the same for both types of configuration
file and if you specify app.config and then load a Web application's configuration
file, in most cases, the Configuration Protector will encrypt and decrypt the sections,
however the results may be unpredictable, therefore, we recommend that you specify
the correct configuration file type.
- Configuration File
-
Use the browse button, to the right of the Configuration File control, to display
a file open dialog. In the dialog, browse to and then select the configuration file
that you want to work with.
Provider Page
Specifies the name of the protected configuration provider to use when encrypting
configuration sections. A set of radio buttons provide the following options:
- RSA Protected Configuration Provider
-
Specifies the RSA protected configuration provider instance which, in a typical
.Net Framework installation, is defined in the
machine.config file. This is the
default option, the Configuration Protector assigns this RSA protected configuration
provider as the selected provider.
- DPAPI Protected Configuration Provider
-
Specifies the DPAPI protected configuration provider instance which, in a typical
.Net Framework installation, is defined in the
machine.config file.
- Named Protected Configuration Provider
-
Specifies the name of a protected configuration provider instance that is defined
in the selected configuration file or in the
machine.config file. The instance may
be an RSA protected configuration provider with custom attributes or properties,
a DPAPI protected configuration provider with custom attributes or properties or
a custom protected configuration provider developed by yourself or a third party.
When you select either the RSA Protected Configuration Provider option or the DPAPI
Protected Configuration Provider option, the Configuration Protector will assign
the relevant provider name to the Provider Name edit control.
When you select the Named Protected Configuration Provider option the Configuration
Protector will enable the Provider Name edit control to allow you to enter the name
of the required provider.
You do not have to specify a protected configuration provider name when you are
decrypting a configuration section, it will not do any harm to specify a name but
the Configuration Protector will not use it when decrypting a configuration section.
When a configuration section is encrypted, the name of the protected configuration
provider that is performing the encryption is written to the configProtectionProvider
attribute of the encrypted section. The value of this attribute is used by the .Net
Framework to load and initialize the correct protected configuration provider instance
when the section needs to be decrypted.
The Configuration Protector will not save custom attributes for a protected configuration
provider that has a name of 'RsaProtectedConfigurationProvider' or 'DataProtectionConfigurationProvider'
to the selected configuration file. As these are the names, typically, defined in
the machine.config file they are considered by the Configuration Protector to be
reserved.
RSA Provider Page
Specifies the attributes or properties of an instance of the RSA protected configuration
provider and saves the values to the configProtectedData section element in the
selected configuration file. You can specify the following attribute values for
the RSA protected configuration provider:
- Provider Name
-
Specifies the name of the RSA protected configuration provider instance. The name
should be unique, meaningful and descriptive.
- Description
- Specifies the description of the RSA protected configuration provider instance.
- Set as the Default Protected Configuration Provider
-
Specifies whether or not the RSA protected configuration provider instance is the
default provider.
- Key Container Name
-
Specifies the name of the RSA key container used by the RSA protected configuration
provider instance.
- Cryptographic Service Provider (CSP) Name
-
Specifies the name of the Windows cryptography API (crypto API) cryptographic service
provider (CSP).
- Use Optimal Asymmetric Encryption Padding (OAEP)
-
Specifies whether or not to use Optimal Asymmetric Encryption Padding (OAEP) when
encrypting and decrypting.
When you have completed the entries you can persist the RSA protected configuration
provider instance's attributes to the selected configuration file. The Configuration
Protector creates a configProtectedData section element in the file, if one does
not exist and then creates a providers element, if one does not exist and then adds
the provider's attributes. If a protected configuration provider with the specified
name already exists in the selected configuration file the Configuration Protector
gives you the option of either updating the existing settings or cancelling the
save operation.
DPAPI Provider Page
Specifies the attributes or properties of an instance of the DPAPI protected configuration
provider and saves the values to the configProtectedData section element in the
selected configuration file. You can specify the following attribute values for
the DPAPI protected configuration provider:
- Provider Name
-
Specifies the name of the DPAPI protected configuration provider instance. The name
should be unique, meaningful and descriptive.
- Description
- Specifies the description of the DPAPI protected configuration provider instance.
- Set as the Default Protected Configuration Provider
-
Specifies whether or not the DPAPI protected configuration provider instance is
the default provider.
- Use Machine-level Protection
-
Specifies whether or not to use machine-level protection. If unchecked, user-level
protection will be used and the Key Entropy control will be disabled.
- Key Entropy
-
When using machine-level protection, specifies an application specific value, that
can be thought of as a password, to use with the encryption key to protect against
other applications on the machine decrypting information.
When you have completed the entries you can persist the DPAPI protected configuration
provider instance's attributes to the selected configuration file. The Configuration
Protector creates a configProtectedData section element in the file, if one does
not exist and then creates a providers element, if one does not exist and then adds
the provider's attributes. If a protected configuration provider with the specified
name already exists in the selected configuration file the Configuration Protector
gives you the option of either updating the existing settings or cancelling the
save operation.
Custom Provider Page
Specifies the attributes or properties of an instance of a custom protected configuration
provider and saves the values to the configProtectedData section element in the
selected configuration file. You can specify the following attribute values for
a custom protected configuration provider:
- Provider Name
-
Specifies the name of the custom protected configuration provider instance. The
name should be unique, meaningful and descriptive.
- Provider Type Name
-
Specifies the assembly qualified type name of the custom protected configuration
provider class. Use the browse button, to the right of the Provider Type Name control,
to display the Custom Provider Type Selector Dialog and select the relevant
System.Configuration.ProtectedConfigurationProvider derived class.
- Set as the Default Protected Configuration Provider
-
Specifies whether or not the custom protected configuration provider instance is
the default provider.
- Attributes
-
Specifies the attributes of the custom protected configuration provider. Typically,
a custom protected configuration provider will have, at least, one custom attribute.
When you have completed the entries you can persist the custom protected configuration
provider instance's attributes to the selected configuration file. The Configuration
Protector creates a configProtectedData section element in the file, if one does
not exist and then creates a providers element, if one does not exist and then adds
the provider's attributes. If a protected configuration provider with the specified
name already exists in the selected configuration file the Configuration Protector
gives you the option of either updating the existing settings or cancelling the
save operation.
Encrypt | Decrypt Page
Specifies the name of the configuration file section to encrypt or decrypt. Encrypts
or decrypts the specified configuration section in the selected configuration file
using the selected protected configuration provider. You can specify the following
values and perform the following operations on the selected configuration file:
The path of the currently selected configuration file is displayed together with
the name of the selected protected configuration provider. You do not have to select
or specify a provider name if you are decrypting a configuration file section. However,
it does not matter if a provider name is displayed when decrypting, as the Configuration
Protector ignores the field when decrypting a configuration section.
- Configuration Sections
-
Lists the names of configuration sections that often require encryption. You can
either choose a section name from the list or you can type a section name into the
list.
- Remember Section Name
-
If you specify a section name, by typing it into the list, you can instruct the
Configuration Protector to remember the name by checking this control. If the section
name is proved to exist in the selected configuration file, after a successful check
state or encrypt or decrypt operation, it will be saved and will therefore be included
in the section name list the next time that you visit the Encrypt | Decrypt page.
- Check State
-
You can, optionally, use the Check State button to display the current state of
the selected section in the selected configuration file. The display shows whether
or not the selected section exists in the configuration file, whether or not it
is currently locked and whether or not it is currently encrypted.
- Encrypt | Decrypt
-
Use the Encrypt button to encrypt the selected section in the configuration file
using the selected protected configuration protection provider.
Use the Decrypt button to decrypt the selected section in the configuration file
using the same protected configuration provider that was used to encrypt the section.
To encrypt a configuration section you must first specify a configuration file,
you must then specify a protected configuration provider name. If you do not specify
a protected configuration provider name, the Configuration Protector's default selected
provider name 'RsaProtectedConfigurationProvider' will be used with the attribute
values specified in the machine.config file.
RSA Key Management Section
To encrypt a configuration file section on one machine and have the .Net Framework
decrypt the section on another machine you will, at least, have to export the public/private
key pair from the encrypting machine and import them into a key container on the
decrypting machine. Use the pages in this section to create an RSA key container,
import and export keys, grant and remove key container permissions and delete a
key container.
Create Key Container Page
Specifies the properties of an RSA key container, creates the specified container
complete with a generated RSA public/private key pair. You can specify the following
properties when creating an RSA key container:
- Key Container Name
- Specifies the name of the key container. The name must be unique on the system.
- Allow Private Key to be Exported
-
Specifies whether or not the key container should allow the private key to be exported.
The private key is required to decrypt configuration settings. Therefore, if you
are planning to export the key container from the encrypting machine and import
it into another, decrypting, machine, you will need to export the private key.
- Use Default Key Size
-
Specifies whether or not to use the default size for the key container's keys. The
default key size is 1024 bytes. If you un-check this control the Key Size control
will be enabled and you can then enter the required key size value.
- Key Size
-
When not using the default size, specifies the size of the key container's keys.
This control is only enabled if the Use Default Key Size control is not checked.
When you have completed the entries use the Create button to generate an RSA public/private
key pair and store the keys in a key container with the specified name.
Although Windows supports both user-level and machine-level RSA key containers the
Configuration Protector only supports machine-level containers, therefore, there
is no way to create a user-level RSA key container from within the Configuration
Protector. To control access to the key container, using an Access Control List
(ACL), so that only the required users can access the keys see the Grant Permission
page.
Grant Permission Page
Specifies the RSA key container to grant permission to, the type of permission to
grant and the user or group account to grant access permission to. Adds the user
or group to the key container's Access Control List (ACL). You can specify the following
properties when granting access to an RSA key container:
- Key Container Name
- Specifies the name of the key container. A key container with the specified name
must exist.
- Read-only Permission
-
Specifies that read-only access to the key container should be granted to the specified
user or group. A user or group account that is to be used to decrypt configuration
sections requires, at least, read-only access to the key container.
- Full Permission
-
Specifies that full, administrator access to the key container should be granted
to the specified user or group. A user or group account that is to be permitted
to export keys and generally manage the key container requires full access to the
key container.
- User or Group Account Name
-
Specifies the user or group account to grant the specified permission to. The Configuration
Protector must be able to resolve or map the specified value to a Windows user or
group account. To enable the .Net Framework to automatically decrypt an encrypted
configuration section when it is loaded into memory, the Windows or process identity
of the application loading the configuration file requires, at least, read access
to the relevant RSA key container.
When you have completed the entries use the Grant button to grant the specified
access permission for the specified user or group to the RSA key container.
Remove Permission Page
Specifies the RSA key container and the user or group account to remove access from.
Removes the user or group from the key container's Access Control List (ACL). You
can specify the following properties when removing access from an RSA key container:
- Key Container Name
-
Specifies the name of the key container. A key container with the specified name
must exist.
- User or Group Account Name
-
Specifies the user or group account to remove access permission from. The Configuration
Protector must be able to resolve or map the specified value to a Windows user or
group account.
When you have completed the entries use the Remove button to remove access permission
for the specified user or group from the RSA key container.
Note
Be careful when removing access to a key container to ensure
that you leave at least one account with full access to the key container. If you
do not, you run the risk of orphaning the key container and making it inaccessible.
Export Key Container Page
Specifies the RSA key container to export from and the key file to export to. Exports
the public key and optionally, the private key, from the specified key container
to the specified XML file. You can specify the following properties when exporting
an RSA key container:
- Key Container Name
-
Specifies the name of the key container. A key container with the specified name
must exist.
- Export the Private as well as the Public Key
-
Specifies whether or not to export the private as well as the public key. The private
key is required to decrypt configuration settings. Therefore, if you are planning
to import the key container into another, decrypting, machine, you will need to
export the private key.
- Key Export File
-
Specifies the XML file to export the key(s) to. Use the browse button to the right
of the control to display a file save as dialog. In the dialog, browse to the required
folder and enter a name for the key export file. If the file does not exist, it
will be created, if the file does exist, it will be overwritten.
When you have completed the entries click the Export button to export the key(s)
from the specified RSA key container and write them to the specified XML key export
file.
Note
Once exported from an RSA key container the keys are vulnerable, therefore you should
either destroy the file as soon as you have imported the key container into one
or more other machines or restrict access to the file to as few accounts as possible.
The functionality to export an RSA key container is not available when the Configuration
Protector is running in evaluation mode.
Import Key Container Page
Specifies the RSA key container to import to and the key file to import. Imports
the public key and optionally, the private key, from the specified XML file into
the specified key container. You can specify the following properties when importing
an RSA key container:
- Key Container Name
-
Specifies the name of the key container. The name must be unique on the system.
See below for further details.
- Allow Private Key to be Exported
-
Specifies whether or not the key container should allow the private key to be exported.
The private key is required to decrypt configuration settings. Therefore, if you
are planning to export the key container from the encrypting machine and import
it into another, decrypting, machine, you will need to export the private key.
- Key Import File
-
Specifies the XML file to import the keys from. Use the browse button to the right
of the control to display a file open dialog. In the dialog, browse to and select
the key import file.
When you have completed the entries click the Import button to import the key(s)
from the specified XML key import file into the specified RSA key container.
If a key container with the specified name does not exist, it will be created, if
a key container with the specified name does exist, it's keys will be overwritten,
without warning, by the imported key(s). Typically, you should not, import into
an existing key container. If you intend to do so, make sure that you have decrypted
any configuration sections that have been encrypted with the container's keys or
make sure that you have a backup of the existing keys in the container before executing
the import.
Note
Once exported from an RSA key container the keys are vulnerable, therefore you should
either destroy the file as soon as you have imported the key container or restrict
access to the file to as few accounts as possible.
The functionality to import an RSA key container is not available when the Configuration
Protector is running in evaluation mode.
Delete Key Container Page
Specifies the name of the RSA key container to delete. Deletes the RSA key container
and it's keys. You can specify the following properties when deleting an RSA key
container:
- Key Container Name
-
Specifies the name of the key container. A key container with the specified name
must exist.
When you have completed the entry use the Delete button to delete the key container
with the specified name.
Before deleting a key container, make sure that you have decrypted any configuration
sections that have been encrypted with the container's keys or make sure that you
have a backup of the container's keys.
Conclusion
Blayd Software's Configuration Protector provides a simple and intuitive graphical
user interface that makes the process of encrypting and decrypting configuration
file section data and managing RSA key containers and their keys mostly a point
and click operation. Configuration Protector can be left open, whilst you are working,
with a configuration file and protected configuration provider specified, making
the process of encrypting and decrypting a configuration section a simple matter
of clicking either the Encrypt or Decrypt button.
Copyright ©Blayd Software Limited 2007-2010. All rights reserved.