aspnet_regiis web.config encryption [Error message from the provider: Bad Data.]

Question

I'm trying to encrypt a web app's web.config, but this application exists on 2 different environments (stage, production), each of which should use a different key container.

So I'm using this encryption header on my stage config:

<configProtectedData defaultProvider="ApplicationProvider">
<providers>
  <add name="ApplicationProvider"
    type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
    keyContainerName="ApplicationStageKeys"
    useMachineContainer="true"
    useOAEP="true"/>
</providers>

And this header on my production config:

<configProtectedData defaultProvider="ApplicationProvider">
<providers>
  <add name="ApplicationProvider"
    type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
    keyContainerName="ApplicationProductionKeys"
    useMachineContainer="true"
    useOAEP="true"/>
</providers>

Encryption works fine but everytime I try to decrypt, I'm getting the following error which leaves far too much to the imagination....

C:\Windows\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -pdf connectionStrings C:\Temp

Decrypting configuration section...
Failed to decrypt using provider 'ApplicationProvider'. Error message from the provider: Bad Data.
(C:\Temp\web.config line 75)

Bad Data.

Failed!

I've imported the keys on each server and set up ACLs for both but still no joy, any else ever have this problem?

Answer 1

After looking through it I found a fix, our security guy asked us to turn the 'useOAEP' flag to 'true', I removed this and the encryption and decryption works perfectly!

I wish I could explain why this fixed it but when all your provided is a dumb error message (Bad Data!) you can't exactly expect a smart explanation.

Here's what our encryption headers looks like now:

<configProtectedData defaultProvider="ApplicationProvider">
<providers>
<add name="ApplicationProvider"
     type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
     keyContainerName="ApplicationProductionKeys"
     useMachineContainer="true"/>
</providers>

Hopefully this will save others a few inches on their hairline when they attempt encryption