search

devattic / ConfigCrypter

DevAttic ConfigCrypter is a library that lets you encrypt configuration files and decrypt them on the fly in .NET Core applications.
MIT License
47 stars 18 forks source link

How to pass certificate password to config-crypter encrypt/decrypt commands? #1

Open Hussein-Dahir opened 3 years ago

Hussein-Dahir commented 3 years ago

Hi,

I created an SSL certificate with an export password, and I noticed that I can provide this password in my .NET code using crypter.CertificateLoader option of ConfigureAppConfiguration, this way:

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
    WebHost.CreateDefaultBuilder(args)
        .UseStartup<Startup>()
        .ConfigureAppConfiguration(cfg =>
        {
            cfg.AddEncryptedAppSettings(crypter =>
            {
                crypter.KeysToDecrypt = new List<string> { "ConnectionStrings:DefaultConnection" };
                crypter.CertificateLoader = new MyCertificateLoader();
            });
        });

public class MyCertificateLoader : ICertificateLoader
{
    public X509Certificate2 LoadCertificate()
    {
        return new X509Certificate2("mycert.pfx", "mypassword", X509KeyStorageFlags.MachineKeySet);
    }
}

But I could not find any way to provide this password to the command I use in the cmd!

config-crypter encrypt -p mycert.pfx -f appsettings.json -k "ConnectionStrings.DefaultConnection" 
config-crypter decrypt-p mycert.pfx -f appsettings.json -k "ConnectionStrings.DefaultConnection"

Is there a way to do so?

Becca37 commented 3 years ago

Info on readme says that passing a password is NOT currently implemented (as I interpret it), so my guess would be not possible at this time. I could be wrong, of course!

Additional security could be achieved by:

  • Storing your certficate in the windows certificate store (supported by ConfigCrypter) and restricting access to it.
  • Protect your certificate with a password that is embedded in your source code (currently not supported, but could be easily implemented).
devattic-developer commented 2 years ago

Hi! As @Becca37 said, using a password with a certificate is currently not supported. I will have a look into it. It should not be that hard to implement.

tim-rue commented 1 year ago

@devattic-developer I noticed you merged a PR #4 that implements this. Could you release a new version to nuget? It would help a lot. Thank you!