Importing and Exporting Protected Configuration RSA Key Containers (2024)

Table of Contents
In this article Creating an RSA Key Container Granting Authority to Access an RSA Key Container Exporting an RSA Key Container Importing an RSA Key Container Deleting an RSA Key Container See Also FAQs
  • Article

Protected configuration provides the capability to create, delete, export, and import RSA key containers when using the RsaProtectedConfigurationProvider. One scenario where this is useful is in a Web farm where the same encrypted Web.config file will be deployed to several servers. In that case, the same RSA key container must also be deployed to those servers. To accomplish this, you would create an RSA key container for the application, export it to an XML file, and import it on each server that needs to decrypt the encrypted Web.config file.

Creating RSA key containers can also be useful on a single Web server that hosts multiple ASP.NET applications. By creating an RSA key container for each application or for each set of applications for a single customer, you can improve the security of an application's sensitive configuration information by ensuring that the Web.config file for one application cannot be decrypted using the RSA key container from another application.

Creating an RSA Key Container

To create an RSA key container, you use the ASP.NET IIS registration tool (Aspnet_regiis.exe) with the –pc switch. You must give the key container a name, which identifies the key container used by the RsaProtectedConfigurationProvider specified in the configProtectedData section of your application's Web.config file. To ensure that your newly created RSA key container can be exported, you must include the -exp option.

For example, the following command creates an RSA key container named SampleKeys that is a machine-level key container and is exportable.

aspnet_regiis -pc "SampleKeys"–exp

The following example shows the configProtectedData section of a Web.config file. The section specifies an RsaProtectedConfigurationProvider that uses a machine-level RSA key container named SampleKeys.

See Also
Anheuser-Busch to Invest $170 million in Jacksonville Metal Container Corporation Facility

<configProtectedData> <providers> <add name="SampleProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a processorArchitecture=MSIL" keyContainerName="SampleKeys" useMachineContainer="true" /> </providers></configProtectedData>

Note

To guard against encryption and decryption keys for protected configuration sections being unintentionally deleted, RSA key containers are not deleted if the .NET Framework is uninstalled.

Granting Authority to Access an RSA Key Container

By default, RSA key containers are tightly protected by NTFS access control lists (ACLs) on the server where they are installed. This improves the security of the encrypted information by restricting who can access the encryption key.

Before ASP.NET can use an RSA key container, the process identity of your ASP.NET application must be authorized to have read access to that RSA key container. For information on setting and determining the identity of your ASP.NET application, see ASP.NET Impersonation.

You can use the Aspnet_regiis.exe tool with the -pa switch to give the identity of your ASP.NET application permission to read an RSA key container. For example, the following command grants the Windows Server 2003 NETWORK SERVICE account access to read the machine-level RSA key container named SampleKeys:

aspnet_regiis -pa "SampleKeys" "NT AUTHORITY\NETWORK SERVICE"

Note

If the RSA key container is a user-level container, you must be logged on as the user in whose Windows profile the key is stored, and you must include the -pku option to grant access to the user-level RSA key container. For more information, see Understanding Machine-Level and User-Level RSA Key Containers.

To use the default RsaProtectedConfigurationProvider specified in the machine configuration, you must first grant the application's Windows identity access to the machine key container named NetFrameworkConfigurationKey, which is the key container specified for the default provider. For example, the following command grants the NETWORK SERVICE account access to the RSA key container used by the default RsaProtectedConfigurationProvider:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"

The NetFrameworkConfigurationKey RSA key container is the default key container for commands issued by the Aspnet_regiis.exe tool. The preceding command could therefore also be issued as the following:

aspnet_regiis -pa "NT AUTHORITY\NETWORK SERVICE"

Exporting an RSA Key Container

To export an RSA key container to an XML file, you can use the Aspnet_regiis.exe tool with the –px switch. You can use the XML file as backup for the RSA key container or to import the RSA key container on a different server. The private key portion of the RSA key container is required in order to decrypt encrypted information. To make use of your exported key container on another server, you will need to import the private key as well. You can include the private key in your XML file by specifying the –pri option when exporting the key. You must also specify whether the exported key container is machine-level or user-level. To export a user-level key container, you must be logged on as the user in whose Windows profile the key is stored. To specify a user-level key, include the -pku option when exporting the encryption key information; otherwise the exported key will be from the machine key store. For more information on machine-level and user-level encryption keys, see Understanding Machine-Level and User-Level RSA Key Containers.

For example, the following command exports the machine-level RSA key container named SampleKeys to the file named keys.xml and includes the private key information.

aspnet_regiis -px "SampleKeys" keys.xml -pri

Note

For security, after you export an RSA key container to an XML file, copy the XML file to a location external to the server and delete the XML file from the server. This reduces the chance of an attacker gaining access to your RSA key container and thereby the ability to decrypt Web.config files encrypted using that RSA key container.

Importing an RSA Key Container

You can use the Aspnet_regiis.exe tool with the –pi switch to import an RSA key container from an XML file. You must also specify whether the imported key container is a machine-level or user-level key container. To import a user-level key container, you must be logged on as the user in whose Windows profile the key will be stored. To specify a user-level key, include the -pku option when importing the encryption key information; otherwise the exported key will be imported to the machine key store.

For example, the following command imports a machine-level RSA key container named SampleKeys from the file named keys.xml:

aspnet_regiis -pi "SampleKeys" keys.xml

The identity of the ASP.NET application that will use the imported RSA key container must be granted authority to read the contents of the RSA key container. For more information, see Granting Authority to Access an RSA Key Container earlier in this topic.

Deleting an RSA Key Container

To delete an RSA key container, you can use the Aspnet_regiis.exe tool with the –pz switch. Before you delete an RSA key container, ensure that you have either exported the key to an XML file so that it can be imported later, or that there is no information encrypted with the RSA key container that will ever need to be decrypted.

When deleting an RSA key container, you must specify the name of the key container and identify the container as machine-level or user-level. To delete a user-level key container, you must be logged on as the user in whose Windows profile the key is stored.

For example, the following command deletes the machine-level RSA key container named SampleKeys.

aspnet_regiis -pz "SampleKeys"

See Also

Tasks

Walkthrough: Creating and Exporting an RSA Key Container

Other Resources

Encrypting Configuration Information Using Protected Configuration

Importing and Exporting Protected Configuration RSA Key Containers (2024)

FAQs

How do you export an RSA key container? ›

Exporting an RSA Key Container

To export an RSA key container to an XML file, you can use the Aspnet_regiis.exe tool with the –px switch. You can use the XML file as backup for the RSA key container or to import the RSA key container on a different server.

Read On
Which is better, RSA 2048 or 4096? ›

A 4096 bit key does provide a reasonable increase in strength over a 2048 bit key, and according to the GNFS complexity, encryption strength doesn't drop off after 2048 bits. There's a significant increase in CPU usage for the brief time of handshaking as a result of a 4096 bit key.

Discover More Details
How do I export a private key from RSA? ›

Right click on the certificate name and choose Export > Export Key Pair. When prompted for a password, enter the SSL Server Identity Certificate Private Key Password. Export the data to a . p12 file and then use that to import the certificate and private key into your new Authentication Manager server.

Continue Reading
What is RsaProtectedConfigurationProvider? ›

The RsaProtectedConfigurationProvider class gives you a way to encrypt sensitive information stored in a configuration file, which helps protect it from unauthorized access.

See Details
How do I import RSA tokens? ›

Procedure
  1. In the Security Console, click Authentication > SecurID Tokens > Import Tokens Job > Add New.
  2. Enter a name for the import job. ...
  3. From the Security Domain drop-down menu, select the security domain into which you want to import the tokens. ...
  4. Browse to select the token files that you want to import.

Find Out More
Where to find RSA key container? ›

Windows has a cryptographic key store, and it is simply located in a folder on your hard drive. On my Windows 10 machine, this path is C:\ProgramData\Microsoft\Crypto and inside that folder, there are various other folders for each key type. In this example, we will be looking at the RSA\MachineKeys subfolders.

Tell Me More
Is 2048 RSA still secure? ›

According to the recommendation of the National Institute of Standards and Technology (NIST), the smallest RSA key size that can be considered secure is 2,048 bits. This means approximately 600 digits, but in many cases larger keys of 3,072 or 4,096 bits are also used.

Show Me More
Is RSA 4096 crackable? ›

If an attack is found that allows a 2048 bit key to be hacked in 100 hours, that does not imply that a 4096 bit key can be hacked in 200 hours. The hack that breaks a 2048 bit key in 100 hours may still need many years to crack a single 4096 bit key.

Explore More
What RSA key size should I use? ›

The most common methods are assumed to be weak against sufficiently powerful quantum computers in the future. Since 2015, NIST recommends a minimum of 2048-bit keys for RSA, an update to the widely-accepted recommendation of a 1024-bit minimum since at least 2002.

Continue Reading
Can I generate RSA public key with private key? ›

Generate a Public Key from a Private Key Using ssh-keygen

To obtain the ssh-keygen program, we'll install the openssh-client with our package manager.

Show Me More

Is RSA private key the same as private key? ›

RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS session. It is a part of the public key infrastructure that is generally used in case of SSL certificates.

Read The Full Story
How to decrypt RSA private key? ›

To decrypt the private key from the terminal:
  1. Open terminal.
  2. Run the open ssl command to decrypt the file $ openssl rsa -in <encrypted_private.key> -out <decrypted_private.key> Enter pass phrase for encrypted_private.key: <enter the password> writing RSA key.
Feb 22, 2021

See Details
How to use aspnet_regiis? ›

Answer:
  1. Click Start, Run and click Browse.
  2. Browse to C:\WINNT\Microsoft.NET\Framework\v1. ...
  3. Enter a space and /i after ASPNET_REGIIS.EXE.
  4. Click OK to run the installation.
  5. Once installed, grant Read/Write NTFS permissions for the ASPNET user to the appropriate files and folders.

Get More Info Here
How do I transfer my RSA token to another computer? ›

In the Security Console of the source deployment, click Administration > Export/ImportTokens and Users> Export Tokens and Users. In the Encryption Key Location field, browse to the encryption key that you downloaded from the target deployment.

Continue Reading
How do I Export my ssh key? ›

Export an SSH key
  1. From the Secure Client main window, click Manage Security.
  2. The Security Manager tab is displayed.
  3. Click the User button and select the SSH Keys option.
  4. Select a key from the User SSH Keys table and click Export.
  5. The Open dialog box is displayed.
Apr 25, 2024

View More
How do I Export my certificate authority key? ›

In the console tree, navigate to the certificate you want to export. Right-click the certificate, select All Tasks, and then select Export. On the screen Welcome to the Certificate Export Wizard, select Next. To export the private key, select Yes, export the private key, then select Next.

View Details
Where do I save my RSA key? ›

In the command prompt, use the ssh-keygen command: By default, the system will save the keys to [your home directory]/.ssh/id_rsa. Unless you are an expert you should use the default option and press Enter.

See More
Top Articles
Top Mining Pools in 2024
Jeffrey de Luna | Mezz Cues: High Quality High Performance Cues, Shafts and Gear
Dawes Rolls | Oklahoma Historical Society
With furry costumes, water jugs and tambourines, this tiny California college became a Gaza flashpoint
Latest Posts
8 BEST Bitcoin Mining Pools
Mining Pool: Definition, How It Works, Methods, and Benefits
Article information

Author: Kareem Mueller DO

Last Updated:

Views: 6690

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Kareem Mueller DO

Birthday: 1997-01-04

Address: Apt. 156 12935 Runolfsdottir Mission, Greenfort, MN 74384-6749

Phone: +16704982844747

Job: Corporate Administration Planner

Hobby: Mountain biking, Jewelry making, Stone skipping, Lacemaking, Knife making, Scrapbooking, Letterboxing

Introduction: My name is Kareem Mueller DO, I am a vivacious, super, thoughtful, excited, handsome, beautiful, combative person who loves writing and wants to share my knowledge and understanding with you.