doud.cli.encrypt.decrypt.appsettings
1.0.1
dotnet tool install --global doud.cli.encrypt.decrypt.appsettings --version 1.0.1
dotnet new tool-manifest # if you are setting up this repo dotnet tool install --local doud.cli.encrypt.decrypt.appsettings --version 1.0.1
#tool dotnet:?package=doud.cli.encrypt.decrypt.appsettings&version=1.0.1
nuke :add-package doud.cli.encrypt.decrypt.appsettings --version 1.0.1
AesEncryptionSolution v1.0
After a number of months of beta testing, this is the first production release of AesEncryptionSolution. There are no feature changes in this release. Just a few small bug fixes.
The AesEncryptionSolution is a project with the goal of providing security for connection strings in the appsettings.json file of Microsoft WebApi projects when projects are uploaded to any cloud server either as source files or executable files. It accomplishes this by using AES encryption to encrypt any or all of the connection strings contained in the appsettings.json file. When the application runs and reads the connection string from the appsettings.json file, the encrypted connection string is dynamically decrypted just at the moment that it is passed to make a connection to the SQL database.
The solution is made up of two projects. The first is the NuGet package called doud.appsettings.connectionstring.encryption that will be used at runtime to decrypt the encrypted connection string. The second is a NuGet package tool called doud.cli.encrypt.decrypt.appsettings that can encrypt and decrypt the connection strings from the Package Manager Console.
Installation
To use the AesEncryptionSolution, in your Visual Studio project, start by installing the two NuGet packages using the NuGet Package Manager for Solutions or at the Developer PowerShell:
doud.appsettings.connectionstring.encryption
doud.cli.encrypt.decrypt.appsettings
Open Developer PowerShell window and enter the following commands at the PM> prompt:
PS> dotnet new tool-manifest # This must be done only once
PS> dotnet tool install --local doud.cli.encrypt.decrypt.appsettings --version 0.8.1-beta1
The security file
The encryption mechanism requires some unique data so that only someone with this unique data can decrypt data that has been previously encrypted. This data is contained in the security file which is a simple json file of any name and is stored somewhere in a project folder.
Assume the file name is security.json. The content of the file has only two keys. The Key is an array of 32 numbers that must be between 1 and 255 (inclusive) each separated by a comma and surrounded by square brackets. There should be no other characters. The Iv is an array of 16 numbers that must be between 1 and 255 (inclusive) each separated by a comma and surrounded by square brackets. All the integers in both keys should be random numbers. Both of these keys must be enclosed in a pair of curly brackets {}
{
"Key": [1,2,3,4,5 ... 30,31,32],
"Iv": [1,2,3,4,5 ... 14,15,16]
}
It is recommended to store the security file in the same location as the appsettings.json file.
With this tool installed in the project, you can encrypt and decrypt connection strings.
Executing 'update-database'
When doing a Code-First WebApi project, changing models requires updating the database from the migrations generated but the program is not running when that command is executed. It is recommended that the connection string being used be decrypted manually for the update-database command and then encrypted before the application is started.
Configuring Program.cs
This section will describe how to utilize the AesEncryption package for dynamic decryption of connection strings.
Start by adding the following using statements.
using Doud.Appsettings;
using Doud.Appsettings.ExtensionMethods;
Create an instance of the AesSecurity and pass the full path of the security file:
AesSecurity asec = new AesSecurity("./security.txt");
When passing the selected connection string, add a call to Decrypt() passing the asec variable.
builder.Service.AddDbContext<AppDbContext>(x => {
x.builder.Configuration.GetConnectionString("ProdDb").Decrypt(asec);
});
The Decrypt() extension method will decrypt the connection string just before it is passed to SQL Server.
Using the doud-encrypt tool
dotnet doud-encrypt { --generate [filepath] | {{ --security [filepath] --keys AAAA,BBBB,CCCC,... } --decrypt }
i.e. dotnet doud-encrypt --generate ./security.json
i.e. dotnet doud-encrypt --security ./securityKeys.json --keys ProdDb,DevDb,DockerDb { --decrypt }
The `--generate` generates a security file in the name and folder provided by the fileapth. When used, this
options overrides all other options
The `--security` key points to the file that contains the path to the file containing the key and IV values.
The `--keys` key points to the list of connection string keys that should be encrypted or decrypted in the appsettings.json.
The `--decrypt` key causes the program to decrypt the selected keys. If this key does not exist, the connection strings will be encrypted.
This will decrypt any of the connection strings. Be sure to change directory into the one containing the appsettings.json.
Note: The doud-encrypt will attempt to decrypt a connection string that has not been decrypted. Run the decrypt option ONLY on encrypted connection strings!
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
This package has no dependencies.
| Version | Downloads | Last updated |
|---|---|---|
| 1.0.1 | 165 | 2/18/2024 |
| 1.0.0 | 151 | 2/18/2024 |
| 0.8.1-beta1 | 232 | 11/19/2023 |
| 0.8.0-beta1 | 125 | 11/19/2023 |
| 0.7.3-alpha | 121 | 11/13/2023 |
| 0.7.2-alpha | 134 | 11/13/2023 |