Web.Config encryption using RsaProtectedConfigurationProvider - "Bad Data" error
From your description, you're encountering some problems about encypting web.config via exportable RSA provider, correct?
According to the RSA encryption reference, I've performed some local tests, the normal process of encrypting web.config section via RSA provider and move to other machine is as below:
======================Step 1
Create a machine-level RSA key container:aspnet_regiis -pc "MyTestKeys" -exp
Step 2
Grant Read Access to the RSA Encryption Key:
aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"
Step 3
Encrypt the config file:aspnet_regiis -pef "connectionStrings" "physical path of the web site folder" -prov MyRSAProvider
export the container and import it back to other machine using the following steps
Step 4
Export the machine-level RSA key container:aspnet_regiis -px "MyTestKeys" "c:\Config-Key.xml" -pri
Step 5
Copy Config-Key.xml to c:\ on 2nd server
Step 6
Import the the machine-level RSA key container on the 2nd server:aspnet_regiis -pi "MyTestKeys" "c:\Config-Key.xml"
Step 7
Grant Read Access to the RSA Encryption Key:aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"
Step 8
Copy encrypted web.config to 2nd server
========================
Based on the steps you mentioned, I think most of the process you've followed should be correct. So far I'd like to suggest you check the following things:
- Check your custom RSA provider setting to see whether it is correctly copied to target machine also and set to use Machine container
========encrypt config section=======
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
- AS in the above steps, after you create RSA key container, you need to use "aspnet_regiis -pa" to make sure that the certain account(which will run your ASP.NET application) has the sufficient access permission to the key container. Generally, when you use VS 2008/VS 2005 test server to run ASP.NET application, you're using the logon user(which is probably the admin), however, if you run the ASP.NET in IIS (or after move to other server which is using another different process account), you need to make sure the certain process account have been granted the permission.
You can check them to see whether the problem is due to some of them.
Sincerely,Sanjay Manju suman
Be careful that the name of the element to encrypt is case sensitive.So you should use "connectionStrings" not "connectionstrings" or "ConnectionStrings".
I followed the approach listed below when I had Bad Data
error while manual decryption.
- Add
Remove
andClear
tags inconfigProtectedData
. - Verify
–pri
was used while exporting key - Also ensure that keyContainerName is same as the one used for regstering
keyContainerName="MyKeys"
CONFIG
<configProtectedData> <providers> <clear/><remove name="RSAProtectedConfigurationProvider" /> <add name="RSAProtectedConfigurationProvider" keyContainerName="MyKeys" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
 Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
 processorArchitecture=MSIL" useMachineContainer="true" /> </providers></configProtectedData>
REFERENCE