Importing and Exporting Protected Configuration RSA Key Containers (2024)

Table of Contents
In this article Creating an RSA Key Container Granting Authority to Access an RSA Key Container Exporting an RSA Key Container Importing an RSA Key Container Deleting an RSA Key Container See Also FAQs
  • Article

Protected configuration provides the capability to create, delete, export, and import RSA key containers when using the RsaProtectedConfigurationProvider. One scenario where this is useful is in a Web farm where the same encrypted Web.config file will be deployed to several servers. In that case, the same RSA key container must also be deployed to those servers. To accomplish this, you would create an RSA key container for the application, export it to an XML file, and import it on each server that needs to decrypt the encrypted Web.config file.

Creating RSA key containers can also be useful on a single Web server that hosts multiple ASP.NET applications. By creating an RSA key container for each application or for each set of applications for a single customer, you can improve the security of an application's sensitive configuration information by ensuring that the Web.config file for one application cannot be decrypted using the RSA key container from another application.

Creating an RSA Key Container

To create an RSA key container, you use the ASP.NET IIS registration tool (Aspnet_regiis.exe) with the –pc switch. You must give the key container a name, which identifies the key container used by the RsaProtectedConfigurationProvider specified in the configProtectedData section of your application's Web.config file. To ensure that your newly created RSA key container can be exported, you must include the -exp option.

For example, the following command creates an RSA key container named SampleKeys that is a machine-level key container and is exportable.

aspnet_regiis -pc "SampleKeys"–exp

The following example shows the configProtectedData section of a Web.config file. The section specifies an RsaProtectedConfigurationProvider that uses a machine-level RSA key container named SampleKeys.

<configProtectedData> <providers> <add name="SampleProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a processorArchitecture=MSIL" keyContainerName="SampleKeys" useMachineContainer="true" /> </providers></configProtectedData>

Note

See Also
Transport Input: SSH, Telnet, All, None Keywords - Study CCNPGenerating and deleting an RSA key pairCisco IOS Cookbook, 2nd Edition

To guard against encryption and decryption keys for protected configuration sections being unintentionally deleted, RSA key containers are not deleted if the .NET Framework is uninstalled.

Granting Authority to Access an RSA Key Container

By default, RSA key containers are tightly protected by NTFS access control lists (ACLs) on the server where they are installed. This improves the security of the encrypted information by restricting who can access the encryption key.

Before ASP.NET can use an RSA key container, the process identity of your ASP.NET application must be authorized to have read access to that RSA key container. For information on setting and determining the identity of your ASP.NET application, see ASP.NET Impersonation.

You can use the Aspnet_regiis.exe tool with the -pa switch to give the identity of your ASP.NET application permission to read an RSA key container. For example, the following command grants the Windows Server 2003 NETWORK SERVICE account access to read the machine-level RSA key container named SampleKeys:

aspnet_regiis -pa "SampleKeys" "NT AUTHORITY\NETWORK SERVICE"

Note

If the RSA key container is a user-level container, you must be logged on as the user in whose Windows profile the key is stored, and you must include the -pku option to grant access to the user-level RSA key container. For more information, see Understanding Machine-Level and User-Level RSA Key Containers.

To use the default RsaProtectedConfigurationProvider specified in the machine configuration, you must first grant the application's Windows identity access to the machine key container named NetFrameworkConfigurationKey, which is the key container specified for the default provider. For example, the following command grants the NETWORK SERVICE account access to the RSA key container used by the default RsaProtectedConfigurationProvider:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"

The NetFrameworkConfigurationKey RSA key container is the default key container for commands issued by the Aspnet_regiis.exe tool. The preceding command could therefore also be issued as the following:

aspnet_regiis -pa "NT AUTHORITY\NETWORK SERVICE"

Exporting an RSA Key Container

To export an RSA key container to an XML file, you can use the Aspnet_regiis.exe tool with the –px switch. You can use the XML file as backup for the RSA key container or to import the RSA key container on a different server. The private key portion of the RSA key container is required in order to decrypt encrypted information. To make use of your exported key container on another server, you will need to import the private key as well. You can include the private key in your XML file by specifying the –pri option when exporting the key. You must also specify whether the exported key container is machine-level or user-level. To export a user-level key container, you must be logged on as the user in whose Windows profile the key is stored. To specify a user-level key, include the -pku option when exporting the encryption key information; otherwise the exported key will be from the machine key store. For more information on machine-level and user-level encryption keys, see Understanding Machine-Level and User-Level RSA Key Containers.

For example, the following command exports the machine-level RSA key container named SampleKeys to the file named keys.xml and includes the private key information.

aspnet_regiis -px "SampleKeys" keys.xml -pri

Note

For security, after you export an RSA key container to an XML file, copy the XML file to a location external to the server and delete the XML file from the server. This reduces the chance of an attacker gaining access to your RSA key container and thereby the ability to decrypt Web.config files encrypted using that RSA key container.

Importing an RSA Key Container

You can use the Aspnet_regiis.exe tool with the –pi switch to import an RSA key container from an XML file. You must also specify whether the imported key container is a machine-level or user-level key container. To import a user-level key container, you must be logged on as the user in whose Windows profile the key will be stored. To specify a user-level key, include the -pku option when importing the encryption key information; otherwise the exported key will be imported to the machine key store.

For example, the following command imports a machine-level RSA key container named SampleKeys from the file named keys.xml:

aspnet_regiis -pi "SampleKeys" keys.xml

The identity of the ASP.NET application that will use the imported RSA key container must be granted authority to read the contents of the RSA key container. For more information, see Granting Authority to Access an RSA Key Container earlier in this topic.

Deleting an RSA Key Container

To delete an RSA key container, you can use the Aspnet_regiis.exe tool with the –pz switch. Before you delete an RSA key container, ensure that you have either exported the key to an XML file so that it can be imported later, or that there is no information encrypted with the RSA key container that will ever need to be decrypted.

When deleting an RSA key container, you must specify the name of the key container and identify the container as machine-level or user-level. To delete a user-level key container, you must be logged on as the user in whose Windows profile the key is stored.

For example, the following command deletes the machine-level RSA key container named SampleKeys.

aspnet_regiis -pz "SampleKeys"

See Also

Tasks

Walkthrough: Creating and Exporting an RSA Key Container

Other Resources

Encrypting Configuration Information Using Protected Configuration

As an expert in secure configuration management for ASP.NET applications, I've had extensive experience working with the concepts discussed in the article dated October 22, 2014. The article revolves around the implementation of protected configuration using the RsaProtectedConfigurationProvider in ASP.NET applications to enhance security, especially in scenarios like deploying web applications across multiple servers or hosting multiple applications on a single server.

Here's an in-depth breakdown of the key concepts discussed in the article:

  1. Protected Configuration and RSA Key Containers:

    • Purpose: Protected configuration allows for creating, deleting, exporting, and importing RSA key containers when using the RsaProtectedConfigurationProvider.
    • Use Cases:
      • Deploying the same encrypted Web.config file to multiple servers in a web farm.
      • Enhancing security on a single web server hosting multiple ASP.NET applications.

  2. Creating RSA Key Containers:

    • Tool Used: ASP.NET IIS registration tool (Aspnet_regiis.exe).
    • Command: aspnet_regiis -pc "SampleKeys" –exp
    • Functionality: Creates an RSA key container named "SampleKeys" that is both machine-level and exportable.

  3. Granting Authority to Access RSA Key Containers:

    • Default Protection: RSA key containers are protected by NTFS access control lists (ACLs).
    • Authorization: ASP.NET application's process identity must be authorized to have read access to the RSA key container.
    • Command: aspnet_regiis -pa "SampleKeys" "NT AUTHORITY\NETWORK SERVICE"

  4. Exporting and Importing RSA Key Containers:

    • Export Command: aspnet_regiis -px "SampleKeys" keys.xml -pri
    • Import Command: aspnet_regiis -pi "SampleKeys" keys.xml
    • Security Measure: After export, it's recommended to copy the XML file externally and delete it from the server to reduce security risks.

  5. Deleting RSA Key Containers:

    • Deletion Command: aspnet_regiis -pz "SampleKeys"
    • Precaution: Ensure either the key is exported for future use or no information encrypted with the key container will need decryption.

  6. Additional Notes:

    • Default Key Container: The article mentions the default key container for the machine configuration, named "NetFrameworkConfigurationKey."

  7. Security Best Practices:

    • External Storage: Stresses the importance of storing exported XML files externally to mitigate the risk of unauthorized access to RSA key containers.

In summary, the article provides comprehensive guidance on managing RSA key containers for protected configuration in ASP.NET applications, emphasizing security practices at every step, including creation, authorization, export, import, and deletion of key containers. This knowledge is crucial for ensuring the confidentiality and integrity of sensitive configuration information in web applications.

Importing and Exporting Protected Configuration RSA Key Containers (2024)

FAQs

How do you export an RSA key container? ›

Exporting an RSA Key Container

To export an RSA key container to an XML file, you can use the Aspnet_regiis.exe tool with the –px switch. You can use the XML file as backup for the RSA key container or to import the RSA key container on a different server.

Read On
How do I export my RSA private key? ›

Right click on the certificate name and choose Export > Export Key Pair. When prompted for a password, enter the SSL Server Identity Certificate Private Key Password. Export the data to a . p12 file and then use that to import the certificate and private key into your new Authentication Manager server.

Discover More Details
How to import RSA key? ›

# Import the RSA key pair in PEM format, and name the imported RSA key pair as rsa1 on Device B. When you see End with a Ctrl+C on a line by itself, copy the private key of the RSA key pair to Device B, press Ctrl+C, and then enter the password used to encrypt the RSA key pair when the key pair was exported.

Continue Reading
What is a RSA key container? ›

User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run under that specific user identity.

See Details
How do I generate an RSA key? ›

Generate RSA Keys
  1. Open a shell using Putty or another utility.
  2. Use commands to generate an RSA key file. Type the following command to generate RSA keys: ssh-keygen -t rsa. ...
  3. Navigate to the. rsakey. folder that you created in step 2b. ...
  4. Locate the public key beginning with. ssh. and copy the key.

Find Out More
How do I import a token into RSA? ›

In the Security Console, click Authentication > SecurID Tokens > Import Tokens Job > Add New. Enter a name for the import job. The job is saved with this name so that you can review the details of the job later. The name must be from 1 to 128 characters.

Tell Me More
Where is my RSA private key? ›

The Private Key is always generated alongside the CSR as a pair. Its exact location depends on the server it was generated on. Most server types and tools: Upon generating a CSR, the Private Key will be located in the same directory as the CSR.

Show Me More
How do I export a private key from a server? ›

In the console tree, navigate to the certificate you want to export. Right-click the certificate, select All Tasks, and then select Export. On the screen Welcome to the Certificate Export Wizard, select Next. To export the private key, select Yes, export the private key, then select Next.

Explore More
How to export a private key without a password? ›

The workaround is to remove the password using another machine with openssl:
  1. Export the certificate from the PAN-OS device with a password.
  2. Edit the . pem file with a text editor to keep the encrypted private key only and save the file as "with-pass_private. key"
Jan 19, 2023

Continue Reading
How do I verify my RSA key? ›

To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key. If it doesn't say 'RSA key ok', it isn't OK!"

Show Me More

How do I download a RSA key? ›

Procedure
  1. In the Security Console of the target deployment, click Administration > Export/ Import Tokens and Users > Download Encryption Key.
  2. Click Download Now.
  3. Use the File Download dialog box to select a location for the encryption key, and click Save.

Read The Full Story
What file format for RSA key? ›

PEM. This format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X. 509 certificates. It is the default format for OpenSSL.

See Details
What is the difference between RSA key and private key? ›

RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS session. It is a part of the public key infrastructure that is generally used in case of SSL certificates.

Get More Info Here
What is RSA key used for? ›

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission.

Continue Reading
How do I find my RSA key on Windows? ›

By default, the system saves the keys generated with PuTTY and OpenSSH to C:\Users\your_username\.ssh\id_rsa. To find the keys, open the File Explorer and navigate to that folder. You should see two files. The identification is saved in the id_rsa file, and the public key is labeled id_rsa.pub.

View More
How do I export my certificate authority key? ›

In the console tree, navigate to the certificate you want to export. Right-click the certificate, select All Tasks, and then select Export. On the screen Welcome to the Certificate Export Wizard, select Next. To export the private key, select Yes, export the private key, then select Next.

View Details
How do I export my ssh key? ›

To export your private SSH key:
  1. Select the OpenSSH keys keyring from the left side panel.
  2. Select the Personal SSH key, that has to be exported, from the list.
  3. Right click on the selected key and select Properties ▸ Details.
  4. Press the Export Private Key button to save the exported private key on your computer.

See More
How do I save a RSA public key file? ›

Instructions (Windows)
  1. Invoke PuTTYgen on your local Windows host.
  2. Leave the Parameters at their default values. (RSA keys, 2048 bits.)
  3. Click Generate. ...
  4. Click Save public key. ...
  5. Click Save private key.
  6. Click Yes when presented with the PuTTYgen warning about a blank passphrase.
Jul 25, 2022

Learn More
Top Articles
Warren Buffett's Favorite Energy Stock Just Saw Q2 Profit Grow 50%
Warren Buffett Just Bought $435 Million of This Stock and Plans to Hold It Forever
No Hard Feelings (2023) Tickets & Showtimes
Mcgeorge Academic Calendar
Skamania Lodge Groupon
Evil Dead Rise Showtimes Near Massena Movieplex
Chris wragge hi-res stock photography and images - Alamy
Craigslist Free Stuff Appleton Wisconsin
Teamexpress Login
Brutál jó vegán torta! – Kókusz-málna-csoki trió
Bc Hyundai Tupelo Ms
Walmart Windshield Wiper Blades
Otterbrook Goldens
Tcu Jaggaer
Procore Championship 2024 - PGA TOUR Golf Leaderboard | ESPN
Michael Shaara Books In Order - Books In Order
Dignity Nfuse
Niche Crime Rate
Pretend Newlyweds Nikubou Maranoshin
Lehmann's Power Equipment
Td Small Business Banking Login
라이키 유출
Hobby Stores Near Me Now
Georgia Cash 3 Midday-Lottery Results & Winning Numbers
Drug Test 35765N
Prot Pally Wrath Pre Patch
Busted Mugshots Paducah Ky
Bolly2Tolly Maari 2
Hobby Lobby Hours Parkersburg Wv
1636 Pokemon Fire Red U Squirrels Download
Craigslist Northern Minnesota
Ocala Craigslist Com
Nurofen 400mg Tabletten (24 stuks) | De Online Drogist
A Grade Ahead Reviews the Book vs. The Movie: Cloudy with a Chance of Meatballs - A Grade Ahead Blog
Roadtoutopiasweepstakes.con
Minecraft Jar Google Drive
Telegram update adds quote formatting and new linking options
Alpha Asher Chapter 130
Giovanna Ewbank Nua
814-747-6702
2Nd Corinthians 5 Nlt
Thothd Download
Brown launches digital hub to expand community, career exploration for students, alumni
Darkglass Electronics The Exponent 500 Test
Unit 11 Homework 3 Area Of Composite Figures
Joy Taylor Nip Slip
Christie Ileto Wedding
Parks And Rec Fantasy Football Names
Divisadero Florist
How to Find Mugshots: 11 Steps (with Pictures) - wikiHow
Unity Webgl Extreme Race
Latest Posts
Mega Backdoor Roths: Definition and How They Work - NerdWallet
SBA Loan Rates 2024
Article information

Author: Corie Satterfield

Last Updated:

Views: 6223

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Corie Satterfield

Birthday: 1992-08-19

Address: 850 Benjamin Bridge, Dickinsonchester, CO 68572-0542

Phone: +26813599986666

Job: Sales Manager

Hobby: Table tennis, Soapmaking, Flower arranging, amateur radio, Rock climbing, scrapbook, Horseback riding

Introduction: My name is Corie Satterfield, I am a fancy, perfect, spotless, quaint, fantastic, funny, lucky person who loves writing and wants to share my knowledge and understanding with you.