I'm using common database code between a web and WinForms app. I've researched and worked out how to encrypt the connection strings section of a web.config and app.config file. That part is ok. I have also worked out how to decrypt the connection strings in my Azure web app, that's ok. I can also read the connection strings in my WinForms app after loading the .pfx file into the machine's certificate store, but after I reboot it fails, because it can't find a private key in the pfx file.
I am using a certificate created with these commands:
makecert -r -pe -n "CN=myconfig" -sky exchange "myconfig.cer" -sv "myconfig.pvk"
pvk2pfx -pvk "myconfig.pvk" -spc "myconfig.cer" -pfx "myconfig.pfx" -pi
This gives me 3 files: myconfig.pvk, myconfig.cer, myconfig.pfx
I assume the problem is the private key isn't stored in the pfx file, and needs to be re-authenticated each time after a reboot- but I don't know enough about encryption to know how to do that. Further, the WinForms app is for very limited distribution onto controlled machines, so I'd like to install each certificate manually.
I'm an newbie to encryption and am stuck. Can I load a .pfx file onto a machine, enter the private key (which I know but won't tell the user) & have that stored persistently? Am I missing something- is there a different certificate file I should install, or way of generating it? I don't want to leave the private key accessible. If someone steals the app.config, I don't want them to be able开发者_开发百科 to decrypt it.
Note: I have read about the RsaProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider. I have chosen to use PKCS12ProtectedConfigurationProvider because it works with Azure, ref: http://blogs.msdn.com/b/sqlazure/archive/2010/09/07/10058942.aspx
I stumbled on the answer when I deployed the app to my local IIS & got the error "Failed to decrypt using provider 'CustomProvider'. Error message from the provider: Keyset does not exist"
There was a permissions problem with the private key, resolved with the help of this article:
CryptographicException 'Keyset does not exist', but only through WCF
The article includes a number of possible causes, the one which fixed my issue was fixing the permissions in 'Manage Private Keys' from the MMC Certificates snap-in (see link, the steps are well laid out).
精彩评论