1.利用代碼加解密

 

using System.Web.Configuration;


    
//加密web.Config中的指定節(jié)
    private void ProtectSection(string sectionName)

    {

        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

        ConfigurationSection section = config.GetSection(sectionName);

        if (section != null && !section.SectionInformation.IsProtected)

        {

            section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");

            config.Save();

        }

    }


    //解密web.Config中的指定節(jié)
    private void UnProtectSection(string sectionName)

    {

        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

        ConfigurationSection section = config.GetSection(sectionName);

        if (section != null && section.SectionInformation.IsProtected)

        {

            section.SectionInformation.UnprotectSection();

            config.Save();

        }

    }

示例:

//加密連接字符串
 protected void btnEncrypt_Click(object sender, EventArgs e)

 {

     ProtectSection("connectionStrings");

 }

變化:

加密前:

<connectionStrings>

  <add name="connStr" connectionString="Data Source=server;Initial Catalog=Lib;User ID=sa;password=***"

   providerName="System.Data.SqlClient" />

 </connectionStrings>

加密后:

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">

  <EncryptedData>

   <CipherData>

   

<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAYzAtjjJo0km/XdUrGFh3YAQAAAACAAAAAAADZgAAqAAAABAAAAD5H0RB6uSYHCk33lo9x5VHAAAAAASAAACgAAAAEAAAALS6KNeUNySZfZ/0tpmh7YWAAQAA85NFHJH

oVx1aW5pTaFfLtTo5J9lWoBR76IYIinLiIjcTeJ4tuAstgCspZlK9NMgzyWmWbbNbb8Z8canVCUpdKF0xmTBTpVih08TtODLszcUpCsJGvEgxuDPi6JtKjG/nT+UvpRp154TNnm04LP/iq1InDxePW2tEViHIiooEXARX8FLY00R

FBaUgarrfi5Fppu4usqavdnj7oqwFEbp3MXOaWY6m9qyVzNsf2G1UwBrivsrM4hZUcr1hy/S87co63ioWie8QDVgGuaTEaSyklC9STyvRsLU6A/QxalCHY4VoRjzNS/27vGoin+c3AJ587wMKJyJBiV08DyzoGM7elAlg8yTAeHv

VMLOEFcTUwsCG0f2rwhi3fZYUyykczYsfHXLEXdbJ+YRiBxYWP6xzffIdyWzrawxaIfnPq/pw6e2Vrwt6tJthDImu0tzXdwupbJVdy4T5vQvy4Fw3SB9lmbSZQacekaXcViBdX7Tejx7TTpDs36RdAOf8WcVMJH4FFAAAACjQFCa

OcSfbD2LXX4YP506vHDXw</CipherValue>

   </CipherData>

  </EncryptedData>

 </connectionStrings>

注意:

加密后，仍然可以按以前的操作來(lái)讀取，不需要額外的解決操作,因?yàn)?BR>
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">

這里已經(jīng)指定了用何種方式解密，asp.net會(huì)自動(dòng)處理

 

2.利用aspnet_regiis.exe工具加解密

步驟:
1.先在本地生成RSA容器(有關(guān)RSA的詳細(xì)操作，可參見(jiàn)http://msdn.microsoft.com/zh-cn/library/yxw286t2(VS.80).aspx )

aspnet_regiis.exe -pc "JimmyKeys" -exp

注:JimmyKeys為容器名字，可隨便改

2.再將RSA導(dǎo)出到xml文件

aspnet_regiis.exe -px "JimmyKeys" "c:\JimmyKeys.xml"

3.在web.config中增加一節(jié),一般放在<appSettings>之前就可以了，如下

<configProtectedData>

        <providers>

            <add name="JimmyRSAProvider"

               
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

                keyContainerName="JimmyKeys"

                useMachineContainer="true" />

           

        </providers>

    </configProtectedData>

        <appSettings>

        ...

       
4.將web.config加密

aspnet_regiis.exe -pef "appSettings" "c:\website" -prov "JimmyRSAProvider"

解密:

aspnet_regiis.exe -pdf "appSettings" "c:\website"

5.部署到遠(yuǎn)程服務(wù)器(1臺(tái)或多臺(tái))

a.將網(wǎng)站文件與JimmyKeys.xml(也就是導(dǎo)出的RSA容器文件)先上傳到服務(wù)器,同時(shí)導(dǎo)入RSA

aspnet_regiis.exe -pi "JimmyKeys" "c:\JimmyKeys.xml"

b.確認(rèn)服務(wù)器上aspx登錄所用的默認(rèn)賬號(hào)

Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);

隨便建一個(gè)aspx，把上一行代碼貼到里面就可以了，IIS5環(huán)境下輸出的是ASPNET，IIS6環(huán)境下輸出的是NETWORK SERVICE，IIS7下沒(méi)試過(guò)也不知道輸出的是啥玩意兒

c.授于RSA窗口的讀取權(quán)限給b中的默認(rèn)賬號(hào)

aspnet_regiis.exe -pa "JimmyKeys" "NETWORK SERVICE"

順便把剛才這些個(gè)操作的命令整理成幾個(gè)批處理

1.本機(jī)bat(新建RSA容器，導(dǎo)出容器，加密web.config)

%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pz "JimmyKeys"

%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pc "JimmyKeys" -exp

%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -px "JimmyKeys" "c:\JimmyKeys.xml"

%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "appSettings" "c:\website" -prov "JimmyRSAProvider"

2.遠(yuǎn)程服務(wù)器bat(導(dǎo)入RSA容器，授權(quán))

%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pi "JimmyKeys" "c:\JimmyKeys.xml"

%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pa "JimmyKeys" "NETWORK SERVICE" 

 

加密前:

 <connectionStrings>

  <add name="connStr" connectionString="Data Source=server;Initial Catalog=Lib;User ID=sa;password=***"

   providerName="System.Data.SqlClient" />

 </connectionStrings>

加密后:

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">

  <EncryptedData Type="http://www./2001/04/xmlenc#Element"

   xmlns="http://www./2001/04/xmlenc#">

   <EncryptionMethod Algorithm="http://www./2001/04/xmlenc#tripledes-cbc" />

   <KeyInfo xmlns="http://www./2000/09/xmldsig#">

    <EncryptedKey xmlns="http://www./2001/04/xmlenc#">

     <EncryptionMethod Algorithm="http://www./2001/04/xmlenc#rsa-1_5" />

     <KeyInfo xmlns="http://www./2000/09/xmldsig#">

      <KeyName>Rsa Key</KeyName>

     </KeyInfo>

     <CipherData>

     

<CipherValue>breSi2wD4X4CAKh0puzhYtyltmR3cp9JfEE8Yw03NeWGZCOoEvDuxAceKLEsmYx8r/tI5NsZxOmY20pQzD1KvGELzz4rhkEPE9LKTAwyKNhqzMPFoRnjsdGTvs6JhrvVat9rdvgKbfTvVLXuvpXgSeNB0T6XJWq

/vOIU7KTyFjk=</CipherValue>

     </CipherData>

    </EncryptedKey>

   </KeyInfo>

   <CipherData>

   

<CipherValue>c4HD+EfJl//pv4eEzT938aWYhLyPBUt8lbNWf4Y4c6tewWLNBTwgYXtxPh6TnF8ne6s9H5C/AwXy/3JECuNEd8YGOO+RDhxw8NySd8vUc53+iUiHW5TLs/aoIvy8k1yOfLWGKFFWPtoX4F4gMTS+MAmhkiHQ46p

H2VyjyprNsl8LE2pGNjDOJnDeGYq+wkn2iw968+qjuTCibGJn6h6iGYGHYmkYUrgRzfo3iIZu+eCWE2IqCP+s58eQRjU3MxJ2BqeUU9HaKy4=</CipherValue>

   </CipherData>

  </EncryptedData>

 </connectionStrings>

同樣，這種方式加密后，aspx讀取節(jié)點(diǎn)時(shí)也無(wú)需任何解密處理，代碼不用做任何修改

注意:并不是所有的節(jié)點(diǎn)都能加密，ASP.NET 2.0僅支持對(duì)Web.config的部分配置節(jié)進(jìn)行加密，以下配置節(jié)中的數(shù)據(jù)是不能進(jìn)行加密的：

 <processModel>

 <runtime>

 <mscorlib>

 <startup>

 <system.runtime.remoting>

 <configProtectedData>

 <satelliteassemblies>

 <cryptographySettings>

 <cryptoNameMapping>

 <cryptoClasses>

另外，除了AppSettings和ConnectionStrings以外的其它節(jié)點(diǎn)，可以這樣寫:

aspnet_regiis.exe -pef "system.serviceModel/behaviors" "d:\website\cntvs\"


即對(duì)<system.serviceModel>下的<behaviors>節(jié)點(diǎn)加密,這一節(jié)點(diǎn)同樣適用于代碼方式加密，經(jīng)過(guò)多次嘗試，似乎除了AppSettings和ConnectionStrings以外的其它節(jié)點(diǎn)，只能支持二級(jí)節(jié)點(diǎn)。

象以下寫法:

aspnet_regiis.exe -pef "system.serviceModel/behaviors/endpointBehaviors" "d:\website\cntvs"　

運(yùn)行時(shí)會(huì)報(bào)錯(cuò):

未找到配置節(jié)“system.serviceModel/behaviors/endpointBehaviors”。