This is the fourth part in a multi-part blog series about securing your connection string in Windows Azure. In the first blog post (found here) a technique was discussed for creating a public/private key pair, using the Windows Azure Certificate Store to store and decrypt the secure connection string. In the second blog post (found here) I showed how the Windows Azure administrator imported the private key to Windows Azure. In the third blog post I will show how the SQL Server Administrator uses the public key to encrypt the connection string. In this blog post I will discuss the role of the developer and the code they need to add to the web role project to get the encrypted connection string.
In this technique, there is a role of web developer; he has access to the public key (however he doesn’t need to use it), and the encrypted web.config file given to him by the SQL Server Administrator. His job is to:
The developer’s role is the most restricted role in this technique. He doesn’t have access to the private key, nor the connection string.
The provider needs to be compiled so it can be referenced by the web role project. You will need Visual Studio 2008 or Visual Studio 2010 on your box. We discussed this in Part 3, for the SQL Azure Administrator, however the developer needs a compiled instant of this also. In some case the developer will compile it for the SQL Azure Administrator, in some case the code will be checked in and compiled with every build – follow your companies guide lines. The step to compile it are:
Replace the thumbprint in the web.config with the thumbprint of the from the Windows Azure portal, this is the thumbprint of the private key and is needed by the provider to decrypt the connection string.
Now you are ready to create your deployment package and deploy to Windows Azure. The web.config file with the encrypted connection string along with the PKCS12ProtectedConfigurationProvider.dll assembly will be deployed to Windows Azure, working with the private key in the Windows Certificate store the provider, referenced by the thumbprint, the provider will be able to decrypt the connection string for the code.
Have you ever noticed that when things become more secure the developer’s job gets harder? One thing about this technique is that the production web.config file will not work on the developer’s box running the development fabric. The reason is that the private key is not on the developer box, and that private key is needed to decrypt the web.config. The solution is not to install the private key on the developer’s box, this would compromise the connection string. The solution is to have the developers running a different web.config, one that contains connection strings to development SQL Azure databases. This version of the connection string doesn’t need to be encrypted.
Any code running on the production Windows Azure servers that has access to the web.config and the Windows Azure Certificate store has access to the SQL Azure connection string. For example this code:
Response.Write("Clear text connection string is: " +
Running on the production server would print out the connection string. This means that all code running on the Windows Azure server needs to have a security code review to make sure a rogue developer doesn’t compromise the integrity of the security work that we have done by encrypting the connection string. It also means that anyone that can deploy to the production Windows Azure server has the ability to figure out the connection string.
Do you have questions, concerns, comments? Post them below and we will try to address them.
I have completed all the steps, but then receive this message when trying to use the connection string:
Failed to decrypt using provider 'CustomProvider'. Error message from the provider: No certificate was found for thumbprint 350E6DF8050CEAA04729FC45BA904E6D204B1646 (E:\approot\web.config line 19)
I have verified the thumbprint in azure. I have the certificate uploaded to the account and also within the service. Any idea's? Thanks!
1) Are you sure that you uploaded to the right Windows Azure account? How many do you have?
2) Is the thumbprint in the error message missing any characters? i.e. a copy and paste error.
3) Did you upload the certificate with the private key?
I experienced the same issue as Jaeel, and the issue was that I hadn't made the certificate available to the Cloud Website via the service definitions... I did this by adding the follwoing to the servicedefinition.csdef inside the webrole section:
<Certificate name="AzureConfig" storeLocation="LocalMachine" storeName="My" />
and the corresponding entry to the Role section of the serviceConfiguration.cscfg
<Certificate name="AzureConfig" thumbprint="834BD072379A27B1468526C75194CF7D5387110C" thumbprintAlgorithm="sha1"/>
This then gave the application visibility of the certificate and everything worked.
Wayne - many thanks for taking the time to write such a thorough article, it was very helpful!
Thanks Nick, that fixed the problem. Wayne, thanks for the great content!
Is there a way to configure certificate using the code, inside Global.asax.cs (i.e. not, using the web.config)?
CT: Because the web.config loads (and decrypts) before the Global.asax.cs is called there is not a way I can think of do do that. However, you might be able to solve your issue by downloading the source code, modifying it and creating your own custom provider.
Thank you Wayne for the detailed steps.
I followed all the steps as you describe. However, one thing I have noticed is that the thumbprint values returned by the Azure and by the local MMC snap-in are the same. Should not they be different?
We have done the steps and is working fine if it installed in GAC. if refer the dll into the project and is not installed into GAC, then how do we encrypt the connection string?
I am getting the error "The protection provider 'Customprovider' was not found" when trying to encrypt.Any thoughts on how to resolve this? Thank you
i managed to use encryption of app.config for a web role project.
is this also possible for a web site running on azure? i am digging the web for days now but it seems this is a feature for web roles only.