Encrypting the Autoscaling Settings in the Configuration File

Retired Content
This content and the technology described is outdated and is no longer being maintained. For more information, see Transient Fault Handling.

The Autoscaling Application Block uses Personal Information Exchange format keys (PFX, also called PKCS #12) to encrypt the Autoscaling Application Block section of the configuration file. For more information, see "Pkcs12 Protected Configuration Provider."

Note

The encryption solution used by the Autoscaling Application Block is not recommended as a general approach for encrypting sensitive data in Microsoft Azure. The Autoscaling Application Block uses this solution to meet its specific security requirements. You should carefully evaluate any encryption approach that you decide to use in your own Azure applications.

The following procedure describes how to configure the Autoscaling Application Block to encrypt its settings in the configuration file.

Encrypting the autoscalingConfiguration section of the configuration file

1. Download the source code for the Pkcs12 Protected Configuration Provider from the Downloads page at "Pkcs12 Protected Configuration Provider."

2. Unzip the source and open the project in Visual Studio.

   Note

   The project was created using Visual Studio 2008. Follow the instructions to run the conversion wizard to upgrade the project.

3. On the Build menu, click Build Solution.

4. From the Start menu, open a Visual Studio Command Prompt window as an Administrator.

5. Navigate to the bin\Release folder in the folder that contains the Pkcs12 Protected Configuration Provider project.

6. Add the PKCS12ProtectedConfigurationProvider to the global assembly cache using the following command:

   gacutil /i PKCS12ProtectedConfigurationProvider.dll
   

7. In Visual Studio, open your project that hosts the Autoscaling Application Block. Then open the app.config file (if the host is a worker role) or web.config file (if the host is a web role).

8. Add the following configProtectedData section to your configuration file.

   <configProtectedData>
     <providers>
       <add name="CustomProvider" 
            thumbprint="[Add your certificate thumbprint here]"
   type="Pkcs12ProtectedConfigurationProvider.Pkcs12ProtectedConfigurationProvider, PKCS12ProtectedConfigurationProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=34da007ac91f901d"/>
     </providers>
   </configProtectedData>
   

9. Add the thumbprint of certificate to the thumbprint attribute. Be sure to remove any spaces from the thumbprint. For instructions about how to discover the thumbprint of your certificate, see the topic "Creating an Encryption Certificate."

10. Save your app.config or web.config file.

11. You can now use the Enterprise Library configuration tool to encrypt the Autoscaling Application Block section of your configuration file. Right click the configuration file in Solution Explorer and click Edit Configuration File to launch the Enterprise Library Configuration Console.

12. In the Protection Provider field in the Autoscaling Settings section, enter CustomProvider.

    

    Note

    CustomProvider does not appear in the drop-down; you must type it in.

13. When you save your configuration using the Enterprise Library Configuration Console, the Autoscaling Application Block settings are encrypted.

    <autoscalingConfiguration configProtectionProvider="CustomProvider">
      <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
        xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
              <KeyName>rsaKey</KeyName>
            </KeyInfo>
            <CipherData>
              <CipherValue>Kd0o...</CipherValue>
            </CipherData>
          </EncryptedKey>
        </KeyInfo>
        <CipherData>
          <CipherValue>nqFb...</CipherValue>
        </CipherData>
      </EncryptedData>
    </autoscalingConfiguration>
    

    Note

    You can decrypt the section by deleting the CustomProvider value from the Protection Provider field in the Enterprise Library configuration tool.
    

To enable Azure to be able to decrypt the configuration settings, you must upload the certificate as a service certificate to Azure.

To upload your certificate to Azure you can use any of the following methods.

• Azure Management Portal. You can upload the service certificate through the Management Portal. For more information, see "How to Add a New Certificate to the Certificate Store" on MSDN.
• Windows Azure PowerShell Cmdlets. You can use the Add-Certificate cmdlet to upload a service certificate. For more information, see "Windows Azure PowerShell Cmdlets".
• CSUpload Command-Line Tool. You can use the CSUpload command-line tool in the Azure SDK for .NET to upload a service certificate. For more information, see "How to Upload a Service Certificate by Using the CSUpload Command-Line Tool" on MSDN.

Next Topic | Previous Topic | Home

Last built: June 7, 2012