当前位置：文江博客话题详情

我应该在哪里存储不以纯文本形式存储的 Azure 角色设置？

发布于 2024-11-19 04:52:31 字数 264 浏览 5 评论 0原文

看起来存储 Azure 角色设置的标准方法位于 .cscfg 文件中的标记下。看起来很方便，但该文件没有以任何方式加密 - 它是一个 XML，以纯文本形式上传到 Azure 门户，并以纯文本形式存储，可以随时编辑。

在我的应用程序中，我需要一些不应存储为纯文本的设置，例如 SQL Azure 数据库的密码。我不想拥有包含该密码的纯文本 XML 文件。如何存储此类角色设置？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

如歌彻婉言 2024-11-26 04:52:31

在本地执行此操作的典型方法是在单台计算机上使用 DPAPI。当然，这在网络农场中存在问题。要解决此问题，您可以在每台计算机上共享一个密钥并进行加密。最简单的方法是使用基于证书的加密。

没有什么反对 Michael 引用的 SQL Azure 帖子，但这必须是有史以来最长的系列，告诉您使用 PKCS12 配置提供程序。使用该提供程序的唯一原因是它与 ASP.NET 的内置工具结合使用，可以自动从 appSettings 读取。它对需要更改的 ServiceConfiguration 没有帮助。

如果您想要做的只是安全地保护某个设置（通常在 ServiceConfig 中）并且您不介意编写一个实用程序类来执行此操作，那么您可以将这两个函数与上传到 Windows Azure 的任何证书（带有私钥）一起使用。这正是服务配置中远程访问密码的加密方式。

加密：

var passwordBytes = UTF8Encoding.UTF8.GetBytes("p@ssw0rd");
var contentInfo = new ContentInfo(passwordBytes);
var thumb = "F49E41878B6D63A8DD6B3650030C1A06DEBB5E77";

var env = new EnvelopedCms(contentInfo);

X509Store store = null;

try
{
    store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    store.Open(OpenFlags.ReadOnly);
    var cert = store.Certificates.Cast<X509Certificate2>().Where (xc => xc.Thumbprint == thumb).Single();

    env.Encrypt(new CmsRecipient(cert));

    Convert.ToBase64String(env.Encode()).Dump();
}
finally
{
    if (store != null)
        store.Close();
}

解密：

var thumb = "F49E41878B6D63A8DD6B3650030C1A06DEBB5E77";

var cipherText = "MIIBrwYJKoZIhvcNAQcDoIIBoDCCAZwCAQAxggFgMIIBXAIBADBEMDAxLjAsBgNVBAMTJWR1bm5yeTd0YWIucmVkbW9uZC5jb3JwLm1pY3Jvc29mdC5jb20CECNRAOTmySOQTA2HuEpAcD4wDQYJKoZIhvcNAQEBBQAEggEAkIxJNnCb1nkZe3Gk2zQO8JQn2hOYM9+O9yx1eprTn7dCwjIlYulUMIYwFCMDI7TiYCXG7cET2IP/ooNBPYwxzAvEL5dUVIMK9EDE0jyRP3sGPGiSvG0MW8+xZuQx4wMGNSwm2lVW1ReVRGEpTeTcUFSBCPvXsULpbqCqXtSTgjsHngxgOKjmrWBIdrxCDxtfzvNPgSQ2AVqLTRKgFTN9RHUwJJ2zhGW+F+dBfxai3nlr7HN7JKiIdlNA0UjCd/kSIZqNfPlvd2V58RBMpkW+PEp3vpBa/8D/fhU3Qg/XBNXhroES7aVDB5E16QYO6KgPdXMCpLcQ4e9t1UhokEwUizAzBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECEImLeoQJeVkgBCQ94ZxmHnVkBWrID+S4PEd";

X509Store store = null;

try
{
    store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    store.Open(OpenFlags.ReadOnly);
    var cert = store.Certificates.Cast<X509Certificate2>().Where (xc => xc.Thumbprint == thumb).Single();

    var bytes = Convert.FromBase64String(cipherText);
    var env = new EnvelopedCms();
    env.Decode(bytes);
    env.Decrypt();
    Encoding.UTF8.GetString(env.ContentInfo.Content).Dump();
}
finally
{
    if (store != null)
        store.Close();
}

The typical way to do this on-premises is to use DPAPI on a single machine. Of course, this has problems on a web farm. To work around this, you can share a single key on each machine and encrypt. The easiest way to do this is to use certificate based encryption.

Nothing against the SQL Azure posts referenced by Michael, but that had to be the longest series ever to tell you to use the PKCS12 configuration provider. The only reason to use that provider is that it works in conjuction with the built-in tooling from ASP.NET that can read from appSettings automatically. It doesn't help with ServiceConfiguration that needs to change.

If all you want to do is securely protect a setting (typically in ServiceConfig) and you don't mind writing a utility class to do it, then you can use these two functions with any certificate (with private key) uploaded to Windows Azure. This is exactly how the password for remote access is encrypted in the Service Configuration.

Encrypt:

var passwordBytes = UTF8Encoding.UTF8.GetBytes("p@ssw0rd");
var contentInfo = new ContentInfo(passwordBytes);
var thumb = "F49E41878B6D63A8DD6B3650030C1A06DEBB5E77";

var env = new EnvelopedCms(contentInfo);

X509Store store = null;

try
{
    store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    store.Open(OpenFlags.ReadOnly);
    var cert = store.Certificates.Cast<X509Certificate2>().Where (xc => xc.Thumbprint == thumb).Single();

    env.Encrypt(new CmsRecipient(cert));

    Convert.ToBase64String(env.Encode()).Dump();
}
finally
{
    if (store != null)
        store.Close();
}

Decrypt:

var thumb = "F49E41878B6D63A8DD6B3650030C1A06DEBB5E77";

var cipherText = "MIIBrwYJKoZIhvcNAQcDoIIBoDCCAZwCAQAxggFgMIIBXAIBADBEMDAxLjAsBgNVBAMTJWR1bm5yeTd0YWIucmVkbW9uZC5jb3JwLm1pY3Jvc29mdC5jb20CECNRAOTmySOQTA2HuEpAcD4wDQYJKoZIhvcNAQEBBQAEggEAkIxJNnCb1nkZe3Gk2zQO8JQn2hOYM9+O9yx1eprTn7dCwjIlYulUMIYwFCMDI7TiYCXG7cET2IP/ooNBPYwxzAvEL5dUVIMK9EDE0jyRP3sGPGiSvG0MW8+xZuQx4wMGNSwm2lVW1ReVRGEpTeTcUFSBCPvXsULpbqCqXtSTgjsHngxgOKjmrWBIdrxCDxtfzvNPgSQ2AVqLTRKgFTN9RHUwJJ2zhGW+F+dBfxai3nlr7HN7JKiIdlNA0UjCd/kSIZqNfPlvd2V58RBMpkW+PEp3vpBa/8D/fhU3Qg/XBNXhroES7aVDB5E16QYO6KgPdXMCpLcQ4e9t1UhokEwUizAzBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECEImLeoQJeVkgBCQ94ZxmHnVkBWrID+S4PEd";

X509Store store = null;

try
{
    store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    store.Open(OpenFlags.ReadOnly);
    var cert = store.Certificates.Cast<X509Certificate2>().Where (xc => xc.Thumbprint == thumb).Single();

    var bytes = Convert.FromBase64String(cipherText);
    var env = new EnvelopedCms();
    env.Decode(bytes);
    env.Decrypt();
    Encoding.UTF8.GetString(env.ContentInfo.Content).Dump();
}
finally
{
    if (store != null)
        store.Close();
}

回复收藏 0 原文