Asp.net mvc 3 是否可以保护CloudConfigurationManager引用的Azure连接字符串?
我已经阅读了关于在web.config中通过加密内容和在Azure上设置证书来保护敏感数据的帖子,以便它们可以被读回 但是,Visual Studio Azure部署项目中我的“服务配置”.cscfg文件中存在绝密数据。我们在这里存储连接字符串和其他敏感数据,以便测试系统(也在Azure上)可以定向到等效的测试后端服务 这些数据是通过CloudConfigurationManager(例如GetSetting(“AwsSecretKey”)访问的,而不是博客文章中讨论的WebConfigurationManagerAsp.net mvc 3 是否可以保护CloudConfigurationManager引用的Azure连接字符串?,asp.net-mvc-3,azure,azure-sql-database,Asp.net Mvc 3,Azure,Azure Sql Database,我已经阅读了关于在web.config中通过加密内容和在Azure上设置证书来保护敏感数据的帖子,以便它们可以被读回 但是,Visual Studio Azure部署项目中我的“服务配置”.cscfg文件中存在绝密数据。我们在这里存储连接字符串和其他敏感数据,以便测试系统(也在Azure上)可以定向到等效的测试后端服务 这些数据是通过CloudConfigurationManager(例如GetSetting(“AwsSecretKey”)访问的,而不是博客文章中讨论的WebConfigurat
是否有可能以类似的方式保护此数据?重要的是,我们在测试和生产中有不同的AWS和SQL连接字符串,生产密钥对我和其他开发人员是隐藏的。是的,我们使用部署配置中上载的x509证书来实现这一点。但是,设置仅与保护私钥的策略/过程一样安全!以下是我们在Azure角色中用于解密ServiceConfiguration中的值的代码:
/// <summary>Wrapper that will wrap all of our config based settings.</summary>
public static class GetSettings
{
private static object _locker = new object();
/// <summary>locked dictionary that caches our settings as we look them up. Read access is ok but write access should be limited to only within a lock</summary>
private static Dictionary<string, string> _settingValues = new Dictionary<string, string>();
/// <summary>look up a given setting, first from the locally cached values, then from the environment settings, then from app settings. This handles caching those values in a static dictionary.</summary>
/// <param name="settingsKey"></param>
/// <returns></returns>
public static string Lookup(string settingsKey, bool decrypt = false)
{
// have we loaded the setting value?
if (!_settingValues.ContainsKey(settingsKey))
{
// lock our locker, no one else can get a lock on this now
lock (_locker)
{
// now that we're alone, check again to see if someone else loaded the setting after we initially checked it
// if no one has loaded it yet, still, we know we're the only one thats goin to load it because we have a lock
// and they will check again before they load the value
if (!_settingValues.ContainsKey(settingsKey))
{
var lookedUpValue = "";
// lookedUpValue = RoleEnvironment.IsAvailable ? RoleEnvironment.GetConfigurationSettingValue(settingsKey) : ConfigurationManager.AppSettings[settingsKey];
// CloudConfigurationManager.GetSetting added in 1.7 - if in Role, get from ServiceConfig else get from web config.
lookedUpValue = CloudConfigurationManager.GetSetting(settingsKey);
if (decrypt)
lookedUpValue = Decrypt(lookedUpValue);
_settingValues[settingsKey] = lookedUpValue;
}
}
}
return _settingValues[settingsKey];
}
private static string Decrypt(string setting)
{
var thumb = Lookup("DTSettings.CertificateThumbprint");
X509Store store = null;
try
{
store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);
var rsaProvider = (RSACryptoServiceProvider)cert.PrivateKey;
return Encoding.ASCII.GetString(rsaProvider.Decrypt(Convert.FromBase64String(setting), false));
}
finally
{
if (store != null)
store.Close();
}
}
}
然后,为了完成该示例,我们创建了一个简单的WinForsm应用程序,使用以下代码对给定证书的值进行加密/解密。我们的生产团队维护对生产证书的访问,并使用WinForms应用程序加密必要的值。然后,它们向开发团队提供加密值。你可以找到一份工作。以下是WinForms应用程序的主要代码:
private void btnEncrypt_Click(object sender, EventArgs e)
{
var thumb = tbThumbprint.Text.Trim();
var valueToEncrypt = Encoding.ASCII.GetBytes(tbValue.Text.Trim());
var store = new X509Store(StoreName.My, rbLocalmachine.Checked ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);
var rsaProvider = (RSACryptoServiceProvider)cert.PublicKey.Key;
var cypher = rsaProvider.Encrypt(valueToEncrypt, false);
tbEncryptedValue.Text = Convert.ToBase64String(cypher);
store.Close();
btnCopy.Enabled = true;
}
private void btnDecrypt_Click(object sender, EventArgs e)
{
var thumb = tbThumbprint.Text.Trim();
var valueToDecrypt = tbEncryptedValue.Text.Trim();
var store = new X509Store(StoreName.My, rbLocalmachine.Checked ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);
var rsaProvider = (RSACryptoServiceProvider)cert.PrivateKey;
tbDecryptedValue.Text = Encoding.ASCII.GetString(rsaProvider.Decrypt(Convert.FromBase64String(valueToDecrypt), false));
}
private void btnCopy_Click(object sender, EventArgs e)
{
Clipboard.SetText(tbEncryptedValue.Text);
}
private void btnEncrypt\u单击(对象发送方,事件参数e)
{
var thumb=tbThumbprint.Text.Trim();
var valueToEncrypt=Encoding.ASCII.GetBytes(tbValue.Text.Trim());
var store=new X509Store(StoreName.My,rbLocalmachine.Checked?StoreLocation.LocalMachine:StoreLocation.CurrentUser);
打开(OpenFlags.ReadOnly);
var cert=store.Certificates.Cast().Single(xc=>xc.Thumbprint==thumb);
var rsaProvider=(rsacryptserviceprovider)cert.PublicKey.Key;
var cypher=rsaProvider.Encrypt(valueToEncrypt,false);
tbEncryptedValue.Text=Convert.tobase64字符串(cypher);
store.Close();
btnCopy.Enabled=true;
}
私有void btnDecrypt\u单击(对象发送方,事件参数e)
{
var thumb=tbThumbprint.Text.Trim();
var valueToDecrypt=tbEncryptedValue.Text.Trim();
var store=new X509Store(StoreName.My,rbLocalmachine.Checked?StoreLocation.LocalMachine:StoreLocation.CurrentUser);
打开(OpenFlags.ReadOnly);
var cert=store.Certificates.Cast().Single(xc=>xc.Thumbprint==thumb);
var rsaProvider=(rsapcryptoserviceprovider)cert.PrivateKey;
tbDecryptedValue.Text=Encoding.ASCII.GetString(rsaProvider.Decrypt(Convert.FromBase64String(valueToDecrypt),false));
}
私有void btnCopy\u单击(对象发送方,事件参数e)
{
剪贴板.SetText(tbEncryptedValue.Text);
}
是的,我们使用部署配置中上载的x509证书执行此操作。但是,设置仅与保护私钥的策略/过程一样安全!以下是我们在Azure角色中用于解密ServiceConfiguration中的值的代码:
/// <summary>Wrapper that will wrap all of our config based settings.</summary>
public static class GetSettings
{
private static object _locker = new object();
/// <summary>locked dictionary that caches our settings as we look them up. Read access is ok but write access should be limited to only within a lock</summary>
private static Dictionary<string, string> _settingValues = new Dictionary<string, string>();
/// <summary>look up a given setting, first from the locally cached values, then from the environment settings, then from app settings. This handles caching those values in a static dictionary.</summary>
/// <param name="settingsKey"></param>
/// <returns></returns>
public static string Lookup(string settingsKey, bool decrypt = false)
{
// have we loaded the setting value?
if (!_settingValues.ContainsKey(settingsKey))
{
// lock our locker, no one else can get a lock on this now
lock (_locker)
{
// now that we're alone, check again to see if someone else loaded the setting after we initially checked it
// if no one has loaded it yet, still, we know we're the only one thats goin to load it because we have a lock
// and they will check again before they load the value
if (!_settingValues.ContainsKey(settingsKey))
{
var lookedUpValue = "";
// lookedUpValue = RoleEnvironment.IsAvailable ? RoleEnvironment.GetConfigurationSettingValue(settingsKey) : ConfigurationManager.AppSettings[settingsKey];
// CloudConfigurationManager.GetSetting added in 1.7 - if in Role, get from ServiceConfig else get from web config.
lookedUpValue = CloudConfigurationManager.GetSetting(settingsKey);
if (decrypt)
lookedUpValue = Decrypt(lookedUpValue);
_settingValues[settingsKey] = lookedUpValue;
}
}
}
return _settingValues[settingsKey];
}
private static string Decrypt(string setting)
{
var thumb = Lookup("DTSettings.CertificateThumbprint");
X509Store store = null;
try
{
store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);
var rsaProvider = (RSACryptoServiceProvider)cert.PrivateKey;
return Encoding.ASCII.GetString(rsaProvider.Decrypt(Convert.FromBase64String(setting), false));
}
finally
{
if (store != null)
store.Close();
}
}
}
然后,为了完成该示例,我们创建了一个简单的WinForsm应用程序,使用以下代码对给定证书的值进行加密/解密。我们的生产团队维护对生产证书的访问,并使用WinForms应用程序加密必要的值。然后,它们向开发团队提供加密值。你可以找到一份工作。以下是WinForms应用程序的主要代码:
private void btnEncrypt_Click(object sender, EventArgs e)
{
var thumb = tbThumbprint.Text.Trim();
var valueToEncrypt = Encoding.ASCII.GetBytes(tbValue.Text.Trim());
var store = new X509Store(StoreName.My, rbLocalmachine.Checked ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);
var rsaProvider = (RSACryptoServiceProvider)cert.PublicKey.Key;
var cypher = rsaProvider.Encrypt(valueToEncrypt, false);
tbEncryptedValue.Text = Convert.ToBase64String(cypher);
store.Close();
btnCopy.Enabled = true;
}
private void btnDecrypt_Click(object sender, EventArgs e)
{
var thumb = tbThumbprint.Text.Trim();
var valueToDecrypt = tbEncryptedValue.Text.Trim();
var store = new X509Store(StoreName.My, rbLocalmachine.Checked ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);
var rsaProvider = (RSACryptoServiceProvider)cert.PrivateKey;
tbDecryptedValue.Text = Encoding.ASCII.GetString(rsaProvider.Decrypt(Convert.FromBase64String(valueToDecrypt), false));
}
private void btnCopy_Click(object sender, EventArgs e)
{
Clipboard.SetText(tbEncryptedValue.Text);
}
private void btnEncrypt\u单击(对象发送方,事件参数e)
{
var thumb=tbThumbprint.Text.Trim();
var valueToEncrypt=Encoding.ASCII.GetBytes(tbValue.Text.Trim());
var store=new X509Store(StoreName.My,rbLocalmachine.Checked?StoreLocation.LocalMachine:StoreLocation.CurrentUser);
打开(OpenFlags.ReadOnly);
var cert=store.Certificates.Cast().Single(xc=>xc.Thumbprint==thumb);
var rsaProvider=(rsacryptserviceprovider)cert.PublicKey.Key;
var cypher=rsaProvider.Encrypt(valueToEncrypt,false);
tbEncryptedValue.Text=Convert.tobase64字符串(cypher);
store.Close();
btnCopy.Enabled=true;
}
私有void btnDecrypt\u单击(对象发送方,事件参数e)
{
var thumb=tbThumbprint.Text.Trim();
var valueToDecrypt=tbEncryptedValue.Text.Trim();
var store=new X509Store(StoreName.My,rbLocalmachine.Checked?StoreLocation.LocalMachine:StoreLocation.CurrentUser);
打开(OpenFlags.ReadOnly);
var cert=store.Certificates.Cast().Single(xc=>xc.Thumbprint==thumb);
var rsaProvider=(rsapcryptoserviceprovider)cert.PrivateKey;
tbDecryptedValue.Text=Encoding.ASCII.GetString(rsaProvider.Decrypt(Convert.FromBase64String(valueToDecrypt),false));
}
私有void btnCopy\u单击(对象发送方,事件参数e)
{
剪贴板.SetText(tbEncryptedValue.Text);
}
这是一个相当全面的解决方案。非常感谢你!这是一个相当全面的解决方案。非常感谢你!