You use Microsoft .NET Framework 4.0 to develop an ASP.NET 4 Web application.
You need to encrypt the connection string information that is stored in the web.config file. The application is deployed to multiple servers.
The encryption keys that are used to encrypt the connection string information must be exportable and importable on all the servers.
You need to encrypt the connection string section of the web.config file so that the file can be used on all of the servers.
Which code segment should you use?
A.
Configuration config = WebConfigurationManager.OpenWebConfiguration(“~�) ;
ConnectionStringsSection section = (ConnectionStringsSection)config.GetSection(“connectionStrings”);
section.Sectionlnformation.ProtectSection(“RsaProtectedConfigurationProvider”);
config.Save();
B.
Configuration config = WebConfigurationManager.OpenMachineConfiguration(“~”);
ConnectionStringsSection section = (ConnectionStringsSection)config.GetSection(“connectionStrings”);
section.Sectionlnformation.ProtectSection(“RsaProtectedConfigurationProvider’*);
config.Save();
C.
Configuration config = WebConfigurationHanager.OpenWebConfiguration (“~”) ;
ConnectionStringsSection section = (ConnectionStringsSection)config.GetSection(“connectionStrings”) ;
section.Sectionlnformation.ProtectSection(“DpapiProtectedConfigurationProvider”);
config.Save ();
D.
Configuration config = WebConfigurationManager.OpenMachineConfiguration (“~”) ;
ConnectionStringsSection section = (ConnectionStringsSection)config.GetSection(“connectionStrings”) ;
section.Sectionlnformation.ProtectSection(“DpapiProtectedConfigurationProvider”);
config.Save () ;
Explanation:
You encrypt and decrypt the contents of a Web.config file by using System.Configuration .DPAPIProtectedConfigurationProvider from the System.Configuration.dll assembly, which uses
the Windows Data Protection API (DPAPI) to encrypt and decrypt data, or by using System.Configuration.RSAProtectedConfigurationProvider, which uses the RSA encryption algorithm
to encrypt and decrypt data.
When you use the same encrypted configuration file on many computers in a web farm, only System.Configuration.RSAProtectedConfigurationProvider enables you to export the
encryption keys that encrypt the data and import them on another server. This is the default setting.CHAPTER 8 Developing Reliable Applications
Lesson 3: Protecting Your Data
Storing Encrypted Connection Strings in Web Applications (page 555)
I have met with a question on the actual exam very similar to this one, I think that was a rewrite of this one. It made no sense to me, but maybe you know the answer. I highlight the differences to the one above. The question exactly looked like this on the exam:
“You use Microsoft .NET Framework 4.0 to develop an ASP.NET 4 Web application.
You need to encrypt the connection string information that is stored in the web.config file. The application is deployed to _one_ server.
The encryption keys that are used to encrypt the connection string information must _NOT_ be exportable and importable on all the servers.
You need to encrypt the connection string section of the web.config file so that the file can be used on all of the servers.
Which code segment should you use?”
And the answers are the same as above. It made no sense to me, picked an answer, and there is opportunity to comment marked questions after the exam, so I have sent feedback to MS about it.
* DPAPIProtectedConfigurationProvider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data.
* RsaProtectedConfigurationProvider uses the RSA encryption algorithm to encrypt and decrypt data.
Both providers offer strong encryption of data. However, if you want to deploy the same encrypted configuration file on multiple servers in a Web farm, you should use the RSAProtectedConfigurationProvider. This provider makes it easy for you encrypt the data on one server computer and then export the RSA private key needed to decrypt the data. You can then deploy the configuration file and the exported key to the target servers, and then re-import the keys.
So if you want your key to be NOT exportable, you should go with DPAPI. If you want your key to be exportable (for multiple servers), then you want to use RSA.