我正在开发一个ASP.Net Core Web API,而在开发环境中,我们只需将连接字符串以明文形式写入
我一直在寻找保护/加密连接字符串的方法,但大多数解决方案都使用Azure Key Vault或用户密钥。我决定遵循这篇文章对
以下是我迄今为止所拥有的:
在
appsettings.json
文件中。但现在我们要将此API发布到生产服务器和Web上(我们将使用FortiWeb来发布API,而不是Azure),因此我们不能再以明文形式保存用户凭据。我一直在寻找保护/加密连接字符串的方法,但大多数解决方案都使用Azure Key Vault或用户密钥。我决定遵循这篇文章对
appsettings.json
信息进行加密和解密,但这篇文章不太完整。我设法创建了文章中描述的类,但我卡住了,不知道如何使用它。这是我第一次从零开始开发API,而且我对信息安全完全是新手。以下是我迄今为止所拥有的:
在
appsettings.json
文件中:{
"ConnectionStrings": {
"MyConnection": "Data Source=MyServerName;Initial Catalog=MyDb;Persist Security Info=True;User ID=MyUser;Password=MyPwd"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
在 DecryptedConfiguration.cs
类中:
public class DecryptedConfiguration : ConfigurationProvider
{
public ICryptoTransform Decryptor;
private ICryptoTransform Encryptor;
internal DecryptedConfiguration(byte[] Key, byte[] IV)
{
Aes aes = Aes.Create();
Decryptor = aes.CreateDecryptor(Key, IV);
Decryptor = aes.CreateDecryptor(Key, IV);
}
public override bool TryGet(string key, out string value)
{
if (base.TryGet(key, out value))
{
byte[] decryptedBytes = Convert.FromBase64String(value);
byte[] textBytes = Decryptor.TransformFinalBlock(decryptedBytes, 0, decryptedBytes.Length);
value = Encoding.Unicode.GetString(textBytes);
return true;
}
return false;
}
public override void Set(string key, string value)
{
byte[] textBytes = Encoding.Unicode.GetBytes(value);
byte[] decryptedBytes = Decryptor.TransformFinalBlock(textBytes, 0, textBytes.Length);
base.Set(key, Convert.ToBase64String(decryptedBytes));
}
}
在DecryptedConfigurationSource.cs
类中:
public class DecryptedConfigurationSource : IConfigurationSource
{
private byte[] Key;
private byte[] IV;
public DecryptedConfigurationSource(byte[] Key, byte[] IV)
{
this.Key = Key;
this.IV = IV;
}
public IConfigurationProvider Build(IConfigurationBuilder builder)
{
return new DecryptedConfiguration(Key, IV);
}
}
在 Startup.cs
类中:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
...
Aes aes = Aes.Create();
byte[] key = aes.Key;
byte[] iv = aes.IV;
IConfigurationBuilder encryptingBuilder = new ConfigurationBuilder()
.AddJsonFile("appsettings.json")
.Add(new DecryptedConfigurationSource(key, iv))
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
IConfiguration cfg = encryptingBuilder.Build();
string ecryptedValue = cfg.GetValue<string>("ConnectionStrings:MyConnection");
}