为什么要加密 Web 配置文件?

发布于 2024-11-06 07:54:10 字数 611 浏览 3 评论 0原文

据我所知,web.config 文件中的任何部分都可以加密和加密。使用 aspnet_regiis.exe 解密。

如果aspnet_regiis可以用来解密web.config文件,那么加密它有什么意义呢?仅仅是为了保存密码吗?敏感信息是否以纯文本形式存储?如果拥有该文件和 exe 的任何人都可以解密它,它真的可以保护敏感的配置信息吗?

更新

感谢所有回答有关机器密钥问题的人。我问这个问题的原因是因为我们在 codeplex.com 上托管了一个开源项目。不过,我们也将此项目部署到 Windows Azure。我正在尝试找到一种最佳方法,使敏感密码不受源代码控制,但在部署到 Azure 时将其作为我的项目的一部分进行访问。

目前,我正在使用 Web 配置转换来存储 Azure 连接字符串(以及 system.net 的 Gmail 密码)。我创建了一个 Web.PublishToAzure.config 转换文件,并且只是将该文件置于源代码控制之外。我还发现了这篇文章,它可能是更好的选择。再次感谢。

As far as I can tell, any section in a web.config file can be encrypted & decrypted using aspnet_regiis.exe.

If aspnet_regiis can be used to decrypt the web.config file, then what's the point of encrypting it? Is it just to keep passwords & sensitive information from being stored as plain text? If anyone with the file and the exe can decrypt it, does it really protect sensitive config info?

UPDATE

Thanks to everyone who answered regarding the machine key. The reason I asked this question is because we have an open source project hosted at codeplex.com. However, we also deploy this project to Windows Azure. I am trying to find a best approach to keep the sensitive passwords out of source control, but keep them accessible as part of my project for when I deploy to Azure.

Currently, I am using web config transforms to store the Azure connection strings (as well as Gmail passwords for system.net). I've created a Web.PublishToAzure.config transform file, and just kept that file out of source control. I also found this article which may be a better option. Thanks again.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

眼眸里的那抹悲凉 2024-11-13 07:54:10

该文件使用机器特定的密钥进行加密。虽然确实任何具有计算机级别访问权限的人都可以解密它,但对其进行加密会阻止具有 FTP 访问权限的人,因为他们没有计算机的 DPAPI 密钥。

The file is encrypted using machine-specific keys. While it is true that anyone with machine-level access could decrypt it, encrypting it would stop people with FTP access since they don't have the machine's DPAPI keys.

话少心凉 2024-11-13 07:54:10

我的理解是 aspnet_regiis.exe 使用计算机特定密钥作为“盐”

如果您加密计算机上的一个部分,然后将配置带到另一台计算机并尝试解密它,它将不起作用。

My understanding is that the aspnet_regiis.exe uses a machine specific key as a "salt"

If you encrypt a section on a machine, and then take the config to another machine and try to decrypt it, it will not work.

翻了热茶 2024-11-13 07:54:10

历史上,浏览器或网络服务器软件中存在漏洞,允许用户查看服务器硬盘上的任何文件。在这种情况下,加密的 web.config 文件可能会有一些用处。但是,如果 Web 服务器已被破坏,允许远程访问服务器本身,那么拥有加密的 web.config 文件将是您最不用担心的。

In history, there were exploits in browsers or web server software that allowed users to view any file on the server's hard drive. In a case such as this, the encrypted web.config file could be of some use. However if a web server has been compromised allowing remote access to the server itself, then having an encrypted web.config file will be the least of your worries.

煮酒 2024-11-13 07:54:10

简单的答案:他们将无法访问密钥,

我相信默认情况下密钥存储在计算机的证书存储中,因此恶意用户也需要访问该密钥。我不是专家,但这就是要点。

Simplistic answer: they won't have access to the key

I believe by default the key is stored in the machine's certificate store, so a malicious user would need to have access to that too. I'm not an expert but that's the gist of it.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文