Encrypting Sections of Web.config of a SharePoint Site for Multi-Server environments

This is my first blog on technology, so sorry about me not being so much clear on things. I’m sure it will get better as I go along and share my experiences on various topics related to the technology

The Back Ground

It is always a Best Practice to encrypt sections of web.config that hold sensitive information like connectionstrings, appsettings and others. ASP.NET provides easy way to encrypt such sections of a web.config which does not need any code level changes where accessing the data of those encrypted sections.  You can find detailed articles on encrypting the sections on MSDN links below:

http://msdn.microsoft.com/en-us/library/yxw286t2.aspx

http://msdn.microsoft.com/en-us/library/ms998283.aspx

On this post, I would be discussing the encryption of the web.config that I had to do for a multi-server environment of a SharePoint 2010 project which had two web servers and one application server.

The Issue

It is relatively a simple task or configuration when it comes to encrypting the web.config sections on a single server environment where you can use the default protection providers without any hassle but when it involves more than one server, normal encryption operation have to be slightly modified to incorporate consistency of the encryption across all the servers.

The Protection provider that has to be used for a Multi-Server such as a Web Farm environment is RsaProtectedConfigurationProvider.

The Solution

Now cutting things short, for solving this dilemma all you need to do is, open the Visual Studio command prompt and do the following:

1. Create Key Container which will contain the key to be used for encrypting/decrypting the sections. This can be done using:

aspnet_regiis -pc "MyKey" -exp

Make sure that you use –exp switch, If you do not use the -exp switch which indicates that the keys are exportable, then you wouldn’t be able to export the keys later.

2. You would need to give the network service account access to key container we just created. Do this by:

aspnet_regiis -pa "MyKey" "NT AUTHORITY\NETWORK SERVICE"

3. Add the following section to the web.config specifying the Key Container and other related information that asp.net needs to know.

<configProtectedData>

      <providers>

         <add name="MyKeyProtectionProvider"             type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,processorArchitecture=MSIL"

              keyContainerName="MyKey"

              useMachineContainer="true" />

      </providers>

</configProtectedData>

4. Now all you need to do is encrypt the section of web.config file, here I am encrypting the appSettings section of a website by:

aspnet_regiis -pef "appSettings" "C:\inetpub\wwwroot\wss\VirtualDirectories\MyKeyWebsite"

5. Export the key to a file that will be needed to be imported across all the web servers where the website resides. This can be done by:

aspnet_regiis -px "MyKey" C:\MyKey.xml -pri

6. Copy this file to the other web servers where you would need to replicate the change and Import the key on those web servers by:

aspnet_regiis -pi "MyKey" C:\MyKey.xml

7. Now copy the web.config on the web servers that would make use of the configuration protection technique. In my case it was on the two servers where the sites were residing. Other operations like deletion of the key container and default providers for stand-alone is available on MSDN links I provided above and also on various other blogs. 

Happy Protection!!! ;)