Articles in this section

DPAPI Auto-Encryption of Certain Fields

Avatar
Todd Mollerup
  • Created
  • Updated
Follow

Identity Panel Core Framework 3.3.6

Identity Panel Windows Service (Panel Service) 3.3.6

Auto-Encryption of certain Config.json values

Identity Panel Core Framework (Core) will encrypt passwords and connection strings stored in config.json

PanelTool.exe and Identity Panel Windows Service (Panel Service) share the same config.json file, and will encrypt passwords and connection strings stored in it.

Important Notes:

This feature is available in version 3.3.6 and higher.

Identity Panel minimizes the number of sensitive values that may need to be placed in config files. This includes performing operations with integrated authentication where possible, and storing credentials with strong encryption in the Identity Panel database where possible.

Sensitive information is encrypted the first time it is used by the applicable application (i.e. Core, Panel Service, or PanelTools)

DPAPI is used for encryption. You can learn more about how DPAPI protects your organization at https://msdn.microsoft.com/en-us/library/ms995355.aspx

By default, the DPAPI protection scope is "LocalMachine". It is possible to switch to the more secure "CurrentUser" if certain pre-requisites are met.

1. Access must be with a user account with a profile. For IIS this means switching the application pool to a custom user account.

2. Only a single account may be used to run the program. For Panel Tools, you must always run PanelTool.exe under the same credentials as the windows service account.


When switching to "CurrentUser", replace all encrypted values (you can identify them by looking for values that start with "ec:") and replace them with cleartext versions. Change the "ProtectMode" in the "Auth" section to "CurrentUser" then run PanelTool or start the web application under the credentials intended to have access.

Optional config keys are not automatically added by upgrading, so if you do not see a setting for "ProtectMode" you may need to add it. If you have upgraded you will see a file matching the new version. e.g. config_3.3.6.json. You may copy the value format from this file.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.