This website uses cookies to offer you a better user experience. By closing this message, or continuing to use the site without closing this message you are agreeing to use
Compare official course data from universities and colleges
About Unistats
The National Student Survey
The National Student Survey (NSS) is an annual survey which
gives university and college students the chance to have their say
about what they liked and did not like about their student learning
experience during their time in higher education. The majority of
students who complete the survey are in their final year.
In the survey, statements are put to students who then rate
their university/college and the course they took against these,
answering on a five-point scale from 'definitely disagree' to
'definitely agree'. The groups of statements cover topics such
The teaching on my course
Assessment and feedback
Academic support
Organisation and management
Learning resources
Personal development
NSS data is only shown on Unistats where at least 10 students
have completed the questionnaire and where the respondents make up
at least half of all the students on that course. If there are less
than 10 students, data cannot be published even if they were all to
complete the NSS questionnaire.
In some cases, course numbers may be combined so as to meet the
thresholds for publication but for some courses there will be no
other relevant data that will serve the purpose. If the subject is
new to the university, information about it may not be available
The National Student Survey is run by the Higher Education
Funding Council for England (HEFCE) on behalf of the Scottish
Funding Council (SFC), Department of Employment and Learning,
Northern Ireland (DELNI) and the Higher Education Funding Council
for Wales (HEFCW). The survey is undertaken on their behalf by
Ipsos MORI.
For more information about the student satisfaction survey,
visit the .
Source of employment
The Destination of Leavers from
Higher Education (DLHE) survey
The Destination of Leavers from Higher Education (DLHE) survey
asks those who have recently completed higher education courses
about their current activity, which may be working, studying,
looking for work or even travelling.
Those who are employed are asked for a description of their role
and the kind of company they work for so that the nature of their
employment can be understood and classified appropriately. They are
also asked how much they are paid.
As well as providing information to prospective students about
the destinations and earnings of those previously completing
courses they are considering applying for, the data collected help
to give a picture of patterns of further study and how destinations
differ across subjects.
Higher Education Institutions (HEIs) survey their students under
direction from the Higher Education Statistics Agency (HESA) while
Further Education Colleges (FECs) fund and administer the survey
for directly funded HE students and return the data to HEFCE.
Students studying on courses in further education colleges (FECs),
which are franchised from HEIs, are included in HEIs' DLHE survey
Students are surveyed roughly six months after completing their
course and response rates are high, with around 80% of eligible
graduates responding. The information collected in the survey is
self-reported by students, or by other people they have nominated
to respond on their behalf.
A further survey, the Longitudinal DLHE, follows up a sample of
these respondents three and a half years (40 months) later. The
response rate to this is about 40%.
Data from both surveys is displayed on Unistats, with the data
for the Longitudinal DLHE being shown for all similar courses as it
is based on a sample of all graduates, in contrast to the early
survey which is a broad census.
While graduate employment in the future may shift from current
patterns, destination information for those previously completing
the course is among those factors rated most important in making
decisions by users of the site.
In the DLHE survey, jobs that graduates report doing are
classified using the . The SOC system has eleven groupings of which
groups 1-3 are used to define "professional or managerial jobs" as
shown on Unistats.
Graduates by major SOC group
Managers and senior officials
Professional occupations
Associate professional and technical occupations
Administrative and secretarial occupations
Skilled trades occupations
Personal service occupations
Sales and customer service occupations
Process, plant and machine operatives
Elementary occupation
All occupations
HEFCE have worked with the Higher Education Careers Support Unit
(HECSU) to develop a&&to understanding the how the
information from the DLHE survey is used and what the data can tell
Employability statements
Unistats provides a link to employability statements on
university and college websites. The employability statement is a
short summary of what each university or college offers to their
students to support their employability, and their transition into
employment and beyond.
accreditation
All courses included on Unistats allow those who complete them
successfully to gain recognised UK awards. In addition, some
courses, or in some cases departments or whole universities and
colleges, will have additional accreditation conferred on them by
another body. Sometimes, additional accreditation may be a
requirement in order to allow you to join a p
for example, doctors must complete courses accredited by the
General Medical Council.
In other cases it may indicate that the course allows students
to join professional bodies, prepares them to work in certain
professions or meets the expectations of employers in particular
sectors. Where a course has some additional accreditation links are
provided to allow you to understand exactly what this means for
each course.
Accrediting bodies include Professional, Statutory and
Regulatory Bodies (PSRBs) who have statutory authority over a
profession or group of professionals. For example, the Royal
Institute of British Architects (RIBA) provides standards, training
and support of architecture and architects across the UK. It
monitors compliance with internationally recognised minimum
standards in architectural education, and identifies courses and
examinations which achieve these standards necessary to prepare
students for professional practice.
Universities and colleges with PSRB accreditation have to
satisfy the relevant body that their students meet particular
professional standards, and accreditation allows graduates to
qualify for certain types of employment, or even gain exemption
from the body's own examinations. If the data for a course indicate
that it has additional accreditation, you can check the
university/college website for more information.
Programme accreditation may lead to one or more of the
following:
Graduates are able to practise as a professional in a specific
field, and in some cases receive a licence to practise that is
Graduates are gran
Graduates are granted exemption from all or part of
Graduates are eligible for entry to membership of a
professional associatio
The programme is confirmed as meeting externally designated
standards and quality.
Some types of accreditation may be partial, so for example a
course might be specifically described as 'recognised'. You should
always check with the university or college what type of
accreditation the course has, and what it may lead to.
You can find a
currently recognised as eligible for inclusion in
Unistats on the Higher Education Statistics Agency (HESA)
We have asked the PSRBs which accredit courses at universities
or colleges to provide relevant information on their own websites
explaining in general terms the purposes of accreditation and the
potential benefits to students.
Scheduled learning and
teaching activity
Scheduled learning and teaching includes lectures, seminars and
tutorials. The table below indicates how different learning and
teaching methods are categorised in the KIS.
Activity type
KIS category
Project supervision
Demonstration
Practical classes and workshops
Supervised time in studio/workshop
External visits
Work-based learning
Guided independent study
Independent
Year abroad
In UK higher education, the expectation is that full-time
students will spend 1,200 hours each year, learning. Everyone
learns at a different rate, so the number of hours will vary from
person to person.
Guided independent study
Independent study (which may be guided) typically features
alongside lectures, seminars and similar. Independent study might
include preparation for scheduled learning sessions, follow up
work, wider reading or practice, completion of assessment tasks,
revision etc.
Placements
Placements refers to any planned period of experience that takes
place outside of the university or college (for example, in a
workplace) to help students develop particular skills, knowledge or
understanding as part of their course.
Courses delivered in Welsh
Unistats allows you to see whether you can take all or part of a
course in Welsh. Where courses are available in Welsh, please note
you can choose whether or not to study
The proportion of the course available to study in Welsh may
also vary depending on the modules you choose. You should contact
the university or college for more information.
Course assessment
Written Exams
Written exams usually occur at the end of a period of learning
to assess if students have achieved the intended learning goals.
Written exams may be 'seen', where students are told the questions
they are expected to answer in advance, or 'unseen', where the
questions are only revealed at the time of the actual exam. Some
written exams are 'open-book', where students are allowed to use a
selection of reference materials (e.g. text books) during the
assessment.
The questions asked as part of a written exam may be essay,
short answer, problem or multiple-choice. Written exams usually
(but not always) take place under timed conditions.
Coursework
Coursework may include: written assignments, essays, reports,
dissertations, portfolios, group tasks, presentations, projects, or
other similar activities that count towards your qualification or
progression.
Practical exams
Practical exams may include: presentations, assessment of
clinical skills or laboratory techniques, critique of or commentary
on artwork, language translation, or other similar activities.
Other assessments
Sometimes there are assessments that don't count towards your
qualification but you nevertheless have to pass. For example,
medics might have to pass a fitness to practice test.
Entry requirements
Each university or college has different entry qualifications
and requirements for their courses. Qualification requirements can
include GCE A-levels, Scottish Highers/Advanced Highers, Advanced
Diploma, BTEC awards, NVQs/SVQs, Access to HE and others.
Universities and colleges express entry requirements in a variety
of ways depending on the requirements of the course. An offer will
often be expressed as a minimum grade, or set of grades, depending
on the qualifications you are taking, or as a total number of
An offer may also include a minimum grade in a specific subject
or qualification. Some institutions take additional information
into consideration, such as contextual data about where you went to
school or where you live, and may make you a different offer than
the minimum specified on their website. A number of universities
and colleges will also consider applications from potential
students with no formal qualifications but who have experience that
is relevant to the course.
In addition to academic and vocational qualifications, some
courses have additional non-academic requirements that you will
need to satisfy before you start your course, in order to enable
you to follow your chosen career when you graduate.
For example, initial teacher training courses will require you
to undergo a Criminal Records Bureau check before you can start a
course where you will be working with under-18 year olds in the
classroom.
The Unistats website shows the range of entry qualifications
that students who were previously enrolled on the course had
achieved. This is not necessarily the only range of qualifications
that will be accepted for the course and you should check the
information provided on the university or college website for full
UCAS Tariff Points
The UCAS Tariff is the system for allocating points to
qualifications used for entry to higher education. Universities and
colleges can use the UCAS Tariff to make comparisons between
applicants with different qualifications. Tariff points are often
used in entry requirements, although other factors will often be
taken into account by universities and colleges when deciding
whether to offer you a place.
The Unistats website shows the UCAS Tariff points held by the
students who were previously enrolled on the course. These are not
necessarily the minimum entry requirements for the course and you
should check the university or college website for full
information.
For further information on the UCAS Tariff, see the
The National Union of Students
The NUS (National Union of Students) is a voluntary membership
organisation. Its mission is to promote, defend and extend the
rights of students and to develop and champion strong students'
unions. Through its member students' unions, the NUS currently
represents the interests of more than seven million students.
Each university or college will have their own students' union
that is the independent voice of students. Each students' union
will offer services such as clubs and societies, social events and
offer advice and guidance. Their mission is to ensure that the
student voice is listened to within the university or college,
campaign on issues which affect students and to make the university
and college experience great. To find out more about the services
of individual students unions and the work of NUS go to the .
Useful links
Video: What to be aware of when using the data to compare courses+1 (323) 663-5799
United for Human Rights
Primary linksdguxkisjvovukv中文什么意思_百度知道
dguxkisjvovukv中文什么意思
我有更好的答案
你确定这是单词
所以我也看不懂呀，一朋友发给我说，这老外发给他的，看不懂问我。这都已超出我英语水平。
我上网搜了只有一天结果，有些说是一个品牌，但是我看着不像
其他类似问题
为您推荐：
等待您来回答
下载知道APP
随时随地咨询
出门在外也不愁How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
Expand the table of content
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies.
This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley
Microsoft Corporation
Applies To
ASP.NET version 2.0
Microsoft(R) Windows Server? 2003 operating system
This How To shows how to use the RSA Protected Configuration provider and the Aspnet_regiis.exe tool to encrypt sections of your configuration files. You can use Aspnet_regiis.exe tool to encrypt sensitive data, such as connection strings, held in the Web.config and Machine.config files. You can easily export and import RSA keys from server to server. This makes RSA encryption particularly effective for encrypting configuration files used on multiple servers in a Web farm.
Objectives
Learn about key changes for encrypting sensitive data in configuration files in ASP.NET version 2.0.
Learn how to choose between machine-level and user-level containers.
Know which sections can and cannot be encrypted with the RSA protected configuration provider.
Use the RSA protected configuration provider to encrypt connection strings.
Create RSA key containers.
Import and export RSA keys across multiple servers in a Web farm.
Configuration files such as the Web.config file are often used to hold sensitive information, including user names, passwords, database connection strings, and encryption keys. The sections that usually contain sensitive information that you need to encrypt are the following:
&appSettings&. This section contains custom application settings.
&connectionStrings&. This section contains connection strings.
&identity&. This section can contain impersonation credentials.
&sessionState&. This section contains the connection string for the out-of-process session state provider.
Encrypting and decrypting data incurs performance overhead. To keep this overhead to a minimum, encrypt only the sections of your configuration file that store sensitive data.
What's New in 2.0
.NET Framework versions 1.0 and 1.1 had limited support for configuration file encryption. However, .NET Framework 2.0 introduces a protected configuration feature that you can use to encrypt sensitive configuration file data by using a command line tool. The following two protected configuration providers are provided although you can also implement custom providers.
RSAProtectedConfigurationProvider. This is the default provider and uses the RSA public key encryption to encrypt and decrypt data.
DPAPIProtectedConfigurationProvider. This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data.
This How To explains how to use the Aspnet_Regiis.exe tool with the RSAProtectedConfigurationProvider to encrypt sections of your configuration file. This provider uses RSA public key encryption.
ASP.NET automatically decrypts configuration sections
therefore, you do not need to write any additional decryption code.
Summary of Steps
To encrypt configuration sections by using the RSA protected configuration provider, perform the following steps:
Step 1. Identify the configuration sections to be encrypted.
Step 2. Choose machine-level or user-level key containers.
Step 3. Encrypt your configuration file data.
Step 1. Identify the Configuration Sections to Be Encrypted
Encrypting and decrypting data incurs performance overhead. To keep this overhead to a minimum, encrypt only the sections of your configuration file that store sensitive data.
Sections You Cannot Encrypt Using Protected Configuration
If you store sensitive data in any of the following configuration sections, you cannot encrypt it by using a protected configuration provider and the Aspnet_regiis.exe tool:
&processModel&
&mscorlib&
&system.runtime.remoting&
&configProtectedData&
&satelliteassemblies&
&cryptographySettings&
&cryptoNameMapping&
&cryptoClasses&
For the configuration sections listed, you should use the Aspnet_setreg.exe tool, which is also available for previous versions of the .NET Framework.
For more information about using the Aspnet_setreg tool to encrypt data in these configuration sections, see Microsoft Knowledge Base article 329290, How to use the ASP.NET utility to encrypt credentials and session state connection strings.
Step 2. Choose Machine-Level or User-Level Key Containers
The RSAProtectedConfigurationProvider supports machine-level and user-level key containers for key storage. Machine-level key containers are available to all users, but a user-level key container is available to that user only.
The choice of container depends largely on whether or not your application shares a server with other applications and whether or not sensitive data must be kept private for each application.
Machine Key Container
Use a machine-level key container in the following situations:
Your application runs on its own dedicated server with no other applications.
You have multiple applications on the same server and you want those applications to be able to share sensitive information and the same encryption key.
RSA machine key containers are stored in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
User Key Container
Use a user-level key container if you run your application in a shared hosting environment and you want to make sure that your application's sensitive data is not accessible to other applications on the server. In this situation, each application should have a separate identity and the resources for the application?such as files, and databases?should be restricted to that identity.
RSA user-level key containers are stored in the following folder:
\Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA
Step 3. Encrypt Your Configuration File Data
This step shows you how to encrypt a connection string in the Web.config file. It shows you how to do this with the machine store and then with the user store.
Using RSA with a Machine-Level Key Container to Encrypt a Connection String in Web.Config
The RSAProtectedConfigurationProvider is the default provider and is configured to use the machine-level key container.
To encrypt the connectionStrings section in Web.config
Create a new Web site named MachineRSA. Make sure that this directory is configured as a virtual directory.
Add a Web.config configuration file to this directory.
Add a sample connectionString similar to the following example:
&connectionStrings&
&add name="MyLocalSQLServer"
connectionString="Initial Catalog=
data source=Integrated Security=SSPI;"
providerName="System.Data.SqlClient"/&
&/connectionStrings&
Run the following command from a .NET command prompt to encrypt the connectionStrings section:
aspnet_regiis -pe "connectionStrings" -app "/MachineRSA"
The above command with the?app switch assumes that there is an IIS virtual directory called MachineRSA. If you are using the Visual Studio .NET 2005 Web server instead of IIS, use the?pef switch, which allows you to specify the physical directory location of your configuration file.
aspnet_regiis.exe -pef "connectionStrings" C:\Projects\MachineRSA
The Aspnet_regiis.exe utility tool is located in the following directory:
%WinDir%\Microsoft.NET\Framework\&versionNumber&
The -pe switch specifies the configuration section to encrypt. This is the XML element name of the configuration section.
For nested elements, such as the &pages& section which is inside &system.web&, the XML name must include the conta for example: "system.web/pages".
The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.
The -app switch specifies your Web application's virtual path. If it is a nested application, you need to specify the nested path fro for example, "/test/aspnet/MachineRSA".
Because you are using the default provider with default settings, you do not need to use the?prov switch, which specifies the provider name.
If the command is successful, you will see the following output:
Encrypting configuration section...
Succeeded!
The RSA machine key containers are stored in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Review the Web.config file, and examine the changes. The following elements are created:
&EncryptedData&
&EncryptionMethod&
&EncryptedKey&
&CipherData&
&CipherValue&
Your modified Web.Config file, with the connectionStrings section encrypted, should be similar to the following example:
&connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider"&
&EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#"&
&EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /&
&KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&
&EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"&
&EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /&
&KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&
&KeyName&Rsa Key&/KeyName&
&/KeyInfo&
&CipherData&
&CipherValue&R7cyuRk+SXJoimz7wlOpJr/YLeADGnwJVcmElHbrG/B5dDTE4C9rzSmmTsbJ9Xcl2oDQt1qYma9L7pzQsQQYqLrkajqJ4i6ZQH1cmiot8ja7Vh+yItes7TRU1AoXN9T0mbX5H1Axm0O3X/285/MdXXTUlPkDMAZXmzNVeEJHSCE=&/CipherValue&
&/CipherData&
&/EncryptedKey&
&/KeyInfo&
&CipherData&
&CipherValue&d2++QtjcVwIkJLsye+dNJbCveORxeWiVSJIbcQQqAFofhay1wMci8FFlbQWttiRYFcvxrmVfNSxoZV8GjfPtppiodhOzQZ+0/QIFiU9Cifqh/T/7JyFkFSn13bTKjbYmHObKAzZ+Eg6gCXBxsVErzH9GRphlsz5ru1BytFYxo/lUGRvZfpLHLYWRuFyLXnxNoAGfL1mpQM7M46x5YWRMsNsNEKTo/PU9/Jvnh/lT+GlcgCs2JRpyzSfKE7zSJH+TpIRtd86PwQ5HG3Pd2frYdYw0rmlmlI9D&/CipherValue&
&/CipherData&
&/EncryptedData&
&/connectionStrings&
Add the following Default.aspx Web page to your application's virtual directory, and then browse to this page to verify that encryption and decryption work correctly.
&%@ Page Language="C#" %&
&script runat="server"&
protected void Page_Load(object sender, EventArgs e)
Response.Write("Clear text connection string is: " +
ConfigurationManager.ConnectionStrings
["MyLocalSQLServer"].ConnectionString);
MyLocalSQLServer is the name of the connection string you previously specified in the Web.config file.
If your ASP.NET application identity does not have access to the .NET Framework configuration key store, the following message is returned:
Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'.
Error message from the provider: The handle is invalid.
To grant access to the ASP.NET application identity
If you are not sure which identity to use, check the identity from a Web page by using the following code:
using System.Security.P
protected void Page_Load(object sender, EventArgs e)
Response.Write(WindowsIdentity.GetCurrent().Name);
By default, ASP.NET applications on Windows Server 2003 run using the NT Authority\Network Service account. Open a .NET command prompt, and use the following command to give this account access to the NetFrameworkConfigurationKey store:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
If the command runs successfully you will see the following output:
Adding ACL for access to the RSA Key container...
Succeeded!
You can check the ACL of the file in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Your RSA key container file is the file in this folder with the most recent timestamp.
To change the connectionStrings section back to clear text, run the following command from the command prompt:
aspnet_regiis -pd "connectionStrings" -app "/MachineRSA"
If the command is successful, you will see the following output:
Decrypting configuration section...
Succeeded!
To decrypt the connectionStrings section that specifies a physical path to your application's configuration file, use the -pdf switch as shown here.
aspnet_regiis -pdf "connectionStrings" C:\Projects\MachineRSA
Using RSA with a User-level Key Container to Encrypt a Connection String in Web.config
The following steps show you how to encrypt a &connectionStrings& section by using the RSAProtectedConfigurationProvider (RSA) with a user-level key container.
By default, the ASP.NET applications run under the NT AUTHORITY \ Network Service account. When you access encrypted configuration sections using RSA encryption with the user-level key container, make sure that your application is running with the same user identity as the account you used to encrypt the data.
To encrypt the connectionStrings section in Web.config
Create a new Web site named UserRSA. Make sure that this directory is configured as a virtual directory.
Add a Web.config configuration file to this directory.
Add a sample connectionString similar to the following example:
&connectionStrings&
&add name="MyLocalSQLServer"
connectionString="Initial Catalog=data source=Integrated Security=SSPI;" providerName="System.Data.SqlClient"/&
&/connectionStrings&
Add and configure a protected configuration provider to use a user-level key container. To do this, add the following &configProtectedData& section to your Web.config file. You must set useMachineContainer= "false" to instruct the provider to use the user-level key container. You must also use a unique provider name or a run-time error will be generated.
&configProtectedData&
&providers&
&add keyContainerName="NetFrameworkConfigurationKey"
useMachineContainer="false"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="MyUserRSAProtectedConfigurationprovider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /&
&/providers&
&/configProtectedData&
Run the following command from an SDK Command Prompt to encrypt the connectionStrings section:
aspnet_regiis -pe "connectionStrings" -app "/UserRSA" -prov "MyUserRSAProtectedConfigurationProvider"
The -pe switch specifies the configuration section to encrypt. This is the XML element name of the configuration section.
For nested elements, such as the &pages& section, which is inside &system.web&, the XML name must include the conta for example, "system.web/pages".
The -app switch specifies your Web application's virtual path.
If it is a nested application, you need to specify the nested path fro for example, "/test/aspnet/MachineRSA".
The -prov switch specifies the provider name. In this case, this is set to "MyUserRSAProtectedConfigurationProvider" which is the name you specified when configuring the provider in step 4.
If the command is successful, you will see the following output:
Encrypting configuration section...
Succeeded!
RSA user-level key containers are stored in the following folder.
\Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA
Review the Web.config and examine the changes. The following elements are created.
&EncryptedData&
&EncryptionMethod&
&EncryptedKey&
&CipherData&
&CipherValue&
Your modified Web.Config file, with the connectionStrings section encrypted, should be similar to the following example:
&connectionStrings configProtectionProvider="MyUserRSAProtectedConfigurationprovider"&
&EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#"&
&EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /&
&KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&
&EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"&
&EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /&
&KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&
&KeyName&Rsa Key&/KeyName&
&/KeyInfo&
&CipherData&
&CipherValue&In7jNc0GA1eE5nvVR2hrHQ6cC1O1kMbfBXH0alBwlY2OBM4sMa8NbK4pBnUdxFkrx+oSzLYE8SHS6dYZwE3Uf5x7hk46Jx+Z/hn1hneWMyxWn23t41708lQzySsotYnzL5VOdR4P7MrIlhW9eSpbWp7PopSzcLxlGbs41dH7L3E=&/CipherValue&
&/CipherData&
&/EncryptedKey&
&/KeyInfo&
&CipherData&
&CipherValue&Zbu2LQQeiHaUFXWPjLvPR9OLwrozCZj5i2zvcEFlx/UICt2Cn0fTdy51dbHQRjTUXnOyx2PC5vptALXsvxrhPo5I+I2SCr21rRUQ5H55P0ejJZMsAirkNjdhCe5RflVLdK96a6Sw0cz93inWi4rNkE1SiXB76cD08Y+DHrsjmGkW8/TeHCK2f4xSykmdJGRwpxxdt2+3DxMjQPfg39Xkr4JjRlE6FvQ/R6hkEyyqLmCxUxbTV/+mcBcwyE3AzrbOIl+627SG1fP4ovLmMkNvjlTl5lCZnoj6&/CipherValue&
&/CipherData&
&/EncryptedData&
&/connectionStrings&
Add the following Default.aspx Web page to your application's virtual directory, and then browse to this page to verify that encryption and decryption works correctly.
&%@ Page Language="C#" %&
&script runat="server"&
protected void Page_Load(object sender, EventArgs e)
Response.Write("Clear text connection string is: " +
ConfigurationManager.ConnectionStrings
["MyLocalSQLServer"].ConnectionString);
Because your application must access the data using the same identity that you used to encrypt the data, you often need to run the encryption command using your application's service account identity. To do so, you can start a command Window by using the runas command as shown below specifying an appropriate domain and user name.
Runas /profile /user:domain\user cmd
When you run Aspnet_regiis from the resulting command window, it uses the specified identity to perform the encryption. This allows the application that uses the same identity to decrypt the data at run time.
If your application runs under a different account than the one used to encrypt the data, ASP.NET will be unable to access the RSA user-level key container and will generate the following error:
Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'.
Error message from the provider: Keyset does not exist
To change the connectionStrings section back to clear text, run the following command from the .NET command prompt:
aspnet_regiis -pd "connectionStrings" -app "/UserRSA"
If the command is successful, you will see the following output:
Decrypting configuration section...
Succeeded!
Web Farm Scenarios
You can use RSA encryption in Web farms, because you can export RSA keys. You need to do this if you encrypt data in a Web.config file prior to deploying it to other servers in a Web farm. In this case, the private key required to decrypt the data must be exported and deployed to the other servers.
Using the RSA Provider to Encrypt a Connection String in Web.config in a Web Farm
To do this, you must create a custom RSA encryption key container and deploy the same key container on all servers in your Web farm. This won't work by default because the default RSA encryption key, "NetFrameworkConfigurationKey", is different for each computer.
To use RSA encryption in a Web farm
Run the following command from a command prompt to create a custom RSA encryption key:
aspnet_regiis -pc "CustomKeys" -exp
The -exp switch indicates that the keys are exportable.
If the command is successful, you will see the following output:
Creating RSA Key container...
Succeeded!
You can verify that a custom key container exists by looking for the file and checking timestamps in the following location:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
\MachineKeys
Create a new Web project named WebFarmRSA. Make sure that this directory is configured as a virtual directory.
Add a Web.config configuration file to this directory.
Add a sample connectionString similar to the following example:
&connectionStrings&
&add name="MyLocalSQLServer"
connectionString="Initial Catalog=data source=Integrated Security=SSPI;" providerName="System.Data.SqlClient"/&
&/connectionStrings&
Add and configure a custom protected configuration provider. To do this, add the following &configProtectedData& section to the Web.config file. Note that the key container name is set to "CustomKeys", which is the name of the key container created previously.
&configProtectedData&
&providers&
&add keyContainerName="CustomKeys"
useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="CustomProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /&
&/providers&
&/configProtectedData&
Run the following command from an SDK Command Prompt to encrypt the connectionStrings section using the custom RSA key:
aspnet_regiis -pe "connectionStrings" -app "/WebFarmRSA" -prov "CustomProvider"
If the encryption is successful, you will see the following output:
Encrypting configuration section...
Succeeded!
Review the Web.config file and examine the changes. The following elements are modified:
&EncryptedData&
&CipherData&
&CipherValue&
Your modified Web.Config file, with the connectionStrings section encrypted, should be similar to the following example:
&connectionStrings configProtectionProvider="CustomProvider"&
&EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#"&
&EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /&
&KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&
&EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"&
&EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /&
&KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&
&KeyName&Rsa Key&/KeyName&
&/KeyInfo&
&CipherData&
&CipherValue&MWOaFwkByLRrvoGYeFUPMmN7e9uwC0D7gFEeyxs3Obll710dLQvD5XaMWcRxg1WwtOE9nysPQRrIJUaCm0b26LGUoa/giGEfvWnslU2kig9SPICzsQAqUSB/inhRckWceb2xdy7TT+EI/vfsu6itJwE2AicMCTwx5I828mP8lV4=&/CipherValue&
&/CipherData&
&/EncryptedKey&
&/KeyInfo&
&CipherData&
&CipherValue&IKO9jezdlJ/k1snyw5+e11cd9IVTlVfHBHSiYLgICf1EnMNd5WxVDZWP1uOW2UaY3Muv7HrSZCRbqq6hfA2uh2rxy5qAzFP+iu7Sg/ku1Zvbwfq8p1UWHvPCukeyrBypiv0wpJ9Tuif7oP4Emgaoa+ewLnETSN411Gow28EKcLpbKWJDOC/9o7g503YM4cnIvkQOomkYlL+MzMb3Rc1FSLiM9ncKQLZi+JkRhlDIxFlsrFpKJhdNf5A0Sq2P71ZLI6G6QDCehHyn3kCZyBmVWJ0ueoGWXV4y&/CipherValue&
&/CipherData&
&/EncryptedData&
&/connectionStrings&
Run the following command from a .NET command prompt to export the custom RSA encryption key:
aspnet_regiis -px "CustomKeys" "C:\CustomKeys.xml" -pri
The -pri switch causes the private and public key to be exported. This enables both encryption and decryption. Without the?pri switch, you would only be able to encrypt data with the exported key.
If the command is successful, you will see the following output:
Exporting RSA Keys to file...
Succeeded!
Deploy the application and the encrypted Web.config file on a different server computer. Also copy the CustomKeys.xml file to a local directory on the other server, for example to the C:\ directory.
On the destination server, run the following command from a command prompt to import the custom RSA encryption keys:
aspnet_regiis -pi "CustomKeys" "C:\CustomKeys.xml"
If the command is successful, you will see the following output:
Importing RSA Keys from file..
Succeeded!
After you have finished exporting and importing the RSA keys, it is important for security reasons to delete the CustomsKeys.xml file from both machines.
Grant access to the ASP.NET application identity.
The account used to run your Web application must be able to read the RSA key container. If you are not sure which identity your application uses, you can check this by adding the following code to a Web page:
using System.Security.P
protected void Page_Load(object sender, EventArgs e)
Response.Write(WindowsIdentity.GetCurrent().Name);
By default, ASP.NET applications on Windows Server 2003 run using the NT Authority\Network Service account. The following command grants this account access to the CustomKeys store:
aspnet_regiis -pa "CustomKeys" "NT Authority\Network Service"
If the command runs successfully, you will see the following output.
Adding ACL for access to the RSA Key container...
Succeeded!
You can check the ACL of the file in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Your RSA key container file will be the one in this folder with the most recent timestamp.
Add the following Default.aspx Web page to your application's virtual directory, and then browse to this page to verify that encryption and decryption work correctly.
&%@ Page Language="C#" %&
&script runat="server"&
protected void Page_Load(object sender, EventArgs e)
Response.Write("Clear text connection string is: " +
ConfigurationManager.ConnectionStrings
["MyLocalSQLServer"].ConnectionString);
MyLocalSQLServer is the name of the connection string you specified previously in the Web.config file.
Additional Resources
Provide feedback by using either a Wiki or e-mail:
Wiki. Security Guidance Feedback Wiki page:
E-mail. Send e-mail to .
We are particularly interested in feedback regarding the following:
Technical issues specific to recommendations
Usefulness and usability issues
Technical Support
Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Product Support Services (PSS). For product support information, please visit the Microsoft Product Support Web site at .
Community and Newsgroups
Community support is provided in the forums and newsgroups:
MSDN Newsgroups: /newsgroups/default.asp.
ASP.NET Forums: .
To get the most benefit, find the newsgroup that corresponds to your technology or problem.
For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.
Contributors and Reviewers
External Contributors and Reviewers:
Andy E Jason Taylor, Security I Manoranjan M P Rudolph Araujo, Foundstone Professional Services
Microsoft Services and PSS Contributors and Reviewers: Aaron Margosis, Adam Semel , Denny Dayton, Tom Christian, Wade Mascia
Microsoft Product Group Contributors and Reviewers: Stefan Schackow, Vikas Malhotra
Test team: Larry Brader, Microsoft C Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
Edit team: Nelly Delgado, Microsoft C Tina Burden McGrayne, Linda Werner & Associates, Inc.
Release Management: Sanjeev Garg, Microsoft Corporation
Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies.
This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
IN THIS ARTICLE
Is this page helpful?
Additional feedback?
1500 characters remaining
Thank you!
We appreciate your feedback.
Dev centers
Learning resources