Securing Azure ServiceConfiguration values for Enterprise Deployment

So, you have configuration values that you want to secure for deployment to different environments (DEV, TEST, PROD).  How can you easily accomplish this task so that encrypted values can be stored in your source code repository?  The easiest way to accomplish this task is using a x509 cert uploaded in the deployment configuration. However, the settings are only as secure as your policy/procedures for protecting the private key! Here is the code we use in an Azure Role to decrypt a value in the ServiceConfiguration:

    /// <summary>Wrapper that will wrap all of our config based settings.</summary>
    public static class GetSettings
    {
        private static object _locker = new object();

        /// <summary>locked dictionary that caches our settings as we look them up.  Read access is ok but write access should be limited to only within a lock</summary>
        private static Dictionary<string, string> _settingValues = new Dictionary<string, string>();

        /// <summary>look up a given setting, first from the locally cached values, then from the environment settings, then from app settings.  This handles caching those values in a static dictionary.</summary>
        /// <param name="settingsKey"></param>
        /// <returns></returns>
        public static string Lookup(string settingsKey, bool decrypt = false)
        {
            // have we loaded the setting value?
            if (!_settingValues.ContainsKey(settingsKey))
            {
                // lock our locker, no one else can get a lock on this now
                lock (_locker)
                {
                    // now that we're alone, check again to see if someone else loaded the setting after we initially checked it
                    //  if no one has loaded it yet, still, we know we're the only one thats goin to load it because we have a lock
                    //  and they will check again before they load the value
                    if (!_settingValues.ContainsKey(settingsKey))
                    {
                        var lookedUpValue = "";
                        // lookedUpValue = RoleEnvironment.IsAvailable ? RoleEnvironment.GetConfigurationSettingValue(settingsKey) : ConfigurationManager.AppSettings[settingsKey];
                        // CloudConfigurationManager.GetSetting added in 1.7 - if in Role, get from ServiceConfig else get from web config.
                        lookedUpValue = CloudConfigurationManager.GetSetting(settingsKey);
                        if (decrypt)
                            lookedUpValue = Decrypt(lookedUpValue);
                        _settingValues[settingsKey] = lookedUpValue;
                    }
                }

            }

            return _settingValues[settingsKey];
        }

        private static string Decrypt(string setting)
        {
            var thumb = Lookup("DTSettings.CertificateThumbprint");
            X509Store store = null;

            try
            {
                store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

                store.Open(OpenFlags.ReadOnly);
                var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);

                var rsaProvider = (RSACryptoServiceProvider)cert.PrivateKey;
                return Encoding.ASCII.GetString(rsaProvider.Decrypt(Convert.FromBase64String(setting), false));
            }
            finally
            {
                if (store != null)
                    store.Close();
            }
        }
    }

You then can leverage RoleEnvironment.IsAvailable to only decrypt values in the emulator or deployed environment, thereby running the web role in local IIS using an unencrypted App setting with key="MyConnectionString" for local debugging (without the emulator):

ContextConnectionString = GetSettings.Lookup("MyConnectionString", decrypt: RoleEnvironment.IsAvailable);

Then, to complete the example, we created a simple WinForsm App with the following code to encrypt/decrypt the value with the given cert. Our production team maintains access to the production cert and encrypts the necessary values using the WinForms App. They then provide the DEV team with the encrypted value. A full working copy of the WinForms App is attached at the bottom of this post. Here's the main code for the WinForms App:

private void btnEncrypt_Click(object sender, EventArgs e)
        {
            var thumb = tbThumbprint.Text.Trim();
            var valueToEncrypt = Encoding.ASCII.GetBytes(tbValue.Text.Trim());

            var store = new X509Store(StoreName.My, rbLocalmachine.Checked ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly);
            var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);

            var rsaProvider = (RSACryptoServiceProvider)cert.PublicKey.Key;
            var cypher = rsaProvider.Encrypt(valueToEncrypt, false);
            tbEncryptedValue.Text = Convert.ToBase64String(cypher);
            store.Close();
            btnCopy.Enabled = true;
        }

        private void btnDecrypt_Click(object sender, EventArgs e)
        {
            var thumb = tbThumbprint.Text.Trim();
            var valueToDecrypt = tbEncryptedValue.Text.Trim();

            var store = new X509Store(StoreName.My, rbLocalmachine.Checked ? StoreLocation.LocalMachine : StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly);
            var cert = store.Certificates.Cast<X509Certificate2>().Single(xc => xc.Thumbprint == thumb);

            var rsaProvider = (RSACryptoServiceProvider)cert.PrivateKey;
            tbDecryptedValue.Text = Encoding.ASCII.GetString(rsaProvider.Decrypt(Convert.FromBase64String(valueToDecrypt), false));
        }

        private void btnCopy_Click(object sender, EventArgs e)
        {
            Clipboard.SetText(tbEncryptedValue.Text);
        }

Cheers and Happy Coding!

AzureEncrypt.zip (11.58 kb)