Why encrypting Web.config file works without supplying a keyContainerName?

Question

So using the aspnet_regiis.exe util I have done the following

//Create the container
aspnet_regiis -pc MyRSAKey -exp

//Write key to file
aspnet_regiis -px MyRSAKey MyRSAKey.xml

//Install the key into a machine-level RSA key provider.
aspnet_regiis -pi MyRSAKey MyRSAKey.xml

//Grant access to the contrainer
aspnet_regiis -pa "MyRSAKey" "NT Authority\Network service"

Now I thought that to use this key I needed to add this to the web.config file

<configProtectedData defaultProvider="MyProviderName">
<providers>
  <add
    name="MyProviderName" 
    type="System.Configuration.RsaProtectedConfigurationProvider,  System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"           
    keyContainerName="MyRSAKey"
    useMachineContainer="true" />
</providers>

Now when I run this command it works:

aspnet_regiis -pef "sectiomName" "pathToConfigFile" -prov "MyProviderName"

The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.

Also visual studio 2010 doesn't even recognise keyContainerName (or useMachineContainer) saying that the 'keyContainerName' name is not allowed.

What's going on here?

Answer 1

To tackle the two questions out of order:

Visual Studio 2010 doesn't even recognise keyContainerName (or useMachineContainer) saying that the 'keyContainerName' name is not allowed.

What's going on here?

I haven't decompiled the relevant configuration section class to check, but I observe that RsaProtectedConfigurationProvider has properties KeyContainerName and UseMachineContainer, so it seems to be that a) when parsing a providers/add element it uses reflection to set corresponding fields on the instance of type; and b) whoever wrote the XML schema which VS2010 uses to validate .config files forgot an <xsd:anyAttribute> tag.

(FWIW this question is what I was hoping to answer when I discovered your question, which ranks highly in Google for keycontainername attribute is not allowed).

---

The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.

When you say "it works", I think you mean that aspnet_regiis -pef doesn't give an error. However, if you try to access the protected configuration section in your code I bet it will complain unless you used the correct keyContainerName.

I suspect that if the name doesn't correspond to a known key container it creates a new one, but I haven't attempted to verify this.