Is the machine dependent section.SectionInformation.ProtectSection, i.e. I can not copy the configuration file and use it on another computer?
Yes, thatβs right, as far as I can tell. This article says that keys are stored on a computer or for each user.
Is there a provider (other than DataProtectionConfigurationProvider) that is machine independent?
Out of the box, the two providers I know ( DataProtectionConfigurationProvider and RSAProtectedConfigurationProvider ) have the same βproblemβ. I found some tips that the RSA provider allows key reuse on different machines, but I have not found examples of how to achieve this.
However, there is a way to achieve what you need, I just did it myself yesterday, since I had a similar problem (I had a requirement to run the application from a network location, and all clients needed to share the same encrypted configuration file). You can flip your own ProtectedConfigurationProvider . Here are some links that illustrate the concept:
Using these articles, I was able to create my own ProtectedConfigurationProvider, which is independent of the machine or user and does not use it in the application. I have a post-build step in my release build that protects the configuration section, and therefore I only ever deploy the secure version. Getting protected partition data works as you would expect on other machines without any problems. Of course, you must be very careful about how to safely encrypt and decrypt your partitions. Here are some examples outlining how to do this , this is one of them, I think.
One of the things that are not clearly indicated in any of the three articles is how to get your application to find your provider if you are not using ASP.net. The usual way to install to the global assembly cache will probably not work for you, since you are claiming that you are using the application from a flash drive. So you need to add it to your app.config file similar to this:
<?xml version="1.0"?> <configuration> ... <configProtectedData defaultProvider="MyEncryptionProvider"> <providers> <add name="MyEncryptionProvider" type="MyAssembly.MyEncryptionProvider, MyAssembly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=whatever_the_assembly_token_is" /> </providers> </configProtectedData> ... </configuration>
This should work if the assembly that performs the encryption is on the same path as your main assembly. I am using a signed assembly, sn -T {Assembly} will provide you with a PublicKeyToken, which you will need to enter into the configuration file.
Partition protection is performed as follows:
using System.Configuration; ... Configuration oConfiguration = ConfigurationManager.OpenExeConfiguration(yourExePath); oSection.SectionInformation.ProtectSection("MyEncryptionProvider"); oSection.SectionInformation.ForceSave = true; oConfiguration.Save();
I tested it today and it worked with a configuration file encrypted on the development machine (XP SP3) and was used on XP SP2, Win7 32Bit and Win7 64Bit.
RENOUNCEMENT
- Not sure if this doesn't work if you don't sign your builds.
- Use at your own risk, I am not a security specialist by any standards.