This document demonstrates how Trust Services can be used to encrypt sensitive information stored in ASP.NET web.config files.

Quick Summary

In the scenario described in the figure below, we would like to protect sensitive information stored in config files such as "connectionStrings" so that it will improve the security
of the application by making it difficult for someone to gain access to sensitive data even if they have access to the web.config file.
Typically, there will be some authorized entity that will be deploying the application to the cloud. Once the developer checks-in the file, it would go through build system waiting to be deployed. Someone from the operations/deployment team would run the 'aspnet_regiis' tool to encrypt portions of the config file. This user would have the private certificate installed on his local machine to perform encryption through Trust Services. Once the encrypted Web.Config is ready, he would package it with the web app and deploy it to Windows Azure.

When the application is up and running, ASP.NET automatically takes care of decrypting configuration setting value when the application tries to access it. To learn more about the encryption/decryption of config files, please go to: http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx. The key here is to configure the appropriate configuration provider in your Web.Config. Let's take a closer look at how Trust Services is used along with the 'Protected Configuration Provider' to perform encryption/decryption.


Out of the box, ASP.NET includes two protected config providers that can be used to encrypt sections of a Web.Config file: 

  1. RsaProtectedConfigurationProvider &
  2. DpapiProtectedConfigurationProvider

This sample provides a custom implementation of a protected configuration provider that uses Trust Services. The custom implementation of the provider is
in the project "TfsProtectedConfigurationProvider". It implements the "Encrypt" and "Decrypt" methods that will be invoked during encryption and decryption
respectively. It also implements the "Initialize" method that sets property values for the provider instance which are used to create a Trust Services instance
and to perform transformations with it.

Required Parameters for the Config Provider:

  • federationUrl - URL of the Trust Services
  • thumbprint - Represents the principal certificate of the publisher or subscriber. Currently the sample is tested using only one certificate for encryption and decryption. The provider looks for this cert in "LocalMachine\Personal" location.
  • trustServerName - Trust Server configured on the Portal.
  • policyUri - URI that represents the data policy for the config section. You will need to make sure that the data policy is added before its used for encryption/decryption

Running the Sample

Install a certificate for using with Trust Services:

1. If you choose to use the certificate that is included in the solution folder, you must install it locally (in LocalMachine\Personal store).
   The password for it is "trust".

Add Policy to encrypt the Config Section:

1. Create a data policy using the powershell script "CreatePolicy.ps1" located in the solution folder.

Configure TfsProtectedConfigurationProvider in Web.Config:

1. Configure the provider in web.config with the following info:
 a. 'trustServerName' parameter - This should be the trust server you had used in the previous step.
 b. 'thumbprint' parameter - You can leave this if you had used the 'PolicyAdmin.pfx' certificate, otherwise change it to the appropriate

Encrypt web.config:

1. Once the solution is successfully compiling, open a Visual Studio or Windows SDK command prompt and navigate to the solution folder.
 - If you don't have either Visual Studio or Windows SDK installed on your machine, you can choose to download the Windows SDK from here:
2. Make sure correct values are configured in the EncryptConfig.cmd script.
3. Run EncryptConfig.cmd to encrypt the "connectionStrings" config section in web.config located in the "debug" build folder.
4. Open Web.Config in the path mentioned above, and make sure you see something like this:
 "...<connectionStrings configProtectionProvider="TfsProtectedConfigurationProvider">
Notice that "connectionStrings" section has been encrypted.

Create Service Package:

1. To include the web.config in the service package, you can do this manually through Visual Studio:

  1. Create a backup of current web.config file in "SampleWebUi" project.
  2. Copying the web.config file from build folder (which has now encrypted sections) and overwrite it with the existing one.
  3. Do a clean build and right-click the SampleWebUiRole project to create a service package.

2. To do this through command line, there are a couple of options:       

  1. Use CSPack tool that is shipped with Windows Azure SDK - For more info, please read here http://msdn.microsoft.com/en-us/library/windowsazure/gg432988.aspx.
  2. Use MSBuild - http://msdn.microsoft.com/en-us/library/windowsazure/hh301088.aspx

Before deploying to service:

1. Create a hosted service
2. Upload "PolicyAdmin" (password = "trust") and "SampleWebUi-Remote" (password = "test") certificates to Azure Portal.

Enabling remote desktop to verify that the config file is encrypted:

1. The sample ships with a sample certificate that can be used to enable Remote Desktop connection.
2. If you have not made any changes to the Service configuration file, then RDP should have been enabled. The credentials are UserId/Pwd - test/RdcRdc2.

After service is deployed:

1. After remoting to the machine, open "E:\approot\web.config" file to ensure that the config sections are encrypted.
2. Navigate to the site (<dnsname>.cloudapp.net) and on the home page you should see the connection string displayed in clear text.
   This is just to show that the ASP.NET process was able to successfully decrypt the config section!


Quick Links