Java | .NET | Android | iOS | Tridion

Decrypting/Encrypting Tridion.ContentManager.config

When you have multiple Tridion Content Management servers you might have tried to copy the Tridion.ContentManager.config file from one server to another and came to the conclusion that you broke your Tridion installation. The result might be that you couldn't connect to your database anymore on one of the servers.

Some parts in the Tridion.ContentManager.config file are encrypted with a machine specific key that is unique for each server. When you're doing a new Tridion installation, parts of the configuration file are encrypted with this key. This means you won't be able to copy the configuration file from one machine to another, without decrypting those parts first.

Luckily, decrypting those parts is not hard and the tool needed is part of the .NET installation. This tool is actually designed for encrypting/decrypting web.config files, so you would need to rename the configuration file first. 

To decrypt the configuration file, start with making a temporary directory somewhere to put the Tridion.ContentManager.config file. For this example we'll use c:\temp. From a new command prompt: 

mkdir c:\temp

Copy the Tridion.ContentManager.config file to this directory and rename this file to web.config. Remember that the tool (aspnet_regiis.exe) was designed for web applications, so this is the reason why this step is necessary.

copy c:\tridion_install_dir\config\Tridion.ContentManager.config c:\temp\web.config

Now it's time to decrypt the parts that are encrypted in this config file. 

c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf "database" c:\temp

After entering this command, the database section in the config is decrypted and unprotected. In this example I'm decrypting the database section of the config file. There are around 4 sections that are encrypted, so you would need to repeat this for each section. They are "database", "tridion.security", "search" and "searchIndexer". There might be more in the future and those must be decrypted as well to transfer the file properly to another server. 

After you copied the file to the other server, you're going to encrypt those parts again, before putting it in the Tridion config directory. Tridion will work with the decrypted config file, but you wouldn't do this on a production server. So please make a new temporary directory on this other server and put the web.config file there.

After you copied the file to the temporary directory on the other server (assuming you made c:\temp), enter the following:

c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pef "database" c:\temp -prov "TridionRsaProtectedConfigurationProvider"

Remember that this MUST be done on the server where you're putting this configuration file. Repeat this step for "tridion.security", "search" and "searchIndexer" as well.

If everything is successful the web.config file from c:\temp can be copied to the Tridion config directory. Restart the Tridion COM+ service and all the Tridion Windows services to pick up the new settings.