MS Webdeploy V3 encryptPassword correct usage

Question

I have installed MS Webdeploy (Version 3.5) on both my ("old") Server 2003/IIS6 and ("new") Server 2012/IIS8. Currently, I am following the guidelines in the article here, backing up the Target Server before transferring from "old" to "new" server, and I have successfully backed up in this manner:

%windir%\system32\inetsrv\appcmd add backup “IIS_Backup_2012”

I am preparing to back up in this way, as well (below).

cd c:\Program Files\IIS\Microsoft Web Deploy V3
msdeploy -verb:sync -source:webServer -dest:package=E:\web_data\IIS_Backup_2012.zip

I've backed it up this way successfully, although in a post, (Backup of All websites with MSDeploy), it is suggested that "the encryptPassword [command] is required if you have SSL certs."
As I am new to certificates, which password would be included in that parameter?

Additionally, as I prepare to transfer, are there other commands I might need to add to either/both my backup or my transfer? (Is there a comprehensive list of commands which might indicate the scenarios of usage?) I found a few lists from MS Tech Net (https://technet.microsoft.com/en-us/library/dd569001%28v=ws.10%29.aspx) and (https://technet.microsoft.com/en-us/library/dd569089%28v=ws.10%29.aspx), but I wasn't absolutely sure as to usage in my particular need, which is only transferring web files and configuration, not a database.

Thanks very much for any suggestions.

Answer 1

Well, I just learned why you need a password. (For those who don't know how, I've shown an example command line at the bottom.)

According to one of the examples on this page, the encryptPassword argument is an option to archiveDir, and it takes any encrypted data in the IIS configuration (say, passwords) and stores them encrypted (with the specified password) in the archive. Here's an excerpt of all three relevant examples, since they might disappear soonish:

1. Archive the metabase and specify an encrypt password.

   msdeploy -verb:sync -source:metaKey -dest:archivedir=c:\mydir,encryptPassword=MyPassKey
   

2. Display the archive. The passwords will show in encrypted form.

   msdeploy -verb:dump -source:archivedir=c:\mydir
   

3. Use the password that you specified earlier to display the archive. The passwords will show in plain text.

   msdeploy -verb:dump -source:archivedir=c:\mydir,encryptPassword=MyPassKey
   

If I understand correctly, for a live site this information is encrypted with the machine key of the box IIS is running on. Of necessity, msdeploy must decrypt that info, since the machine key will be different on the new machine. So, you must choose your own password, in order to create an archive which is independent of the original box, or of the box you're running msdeploy from.

Example

In my case, I knew I needed to specify this option since msdeploy refused to finish building the archive, and exited with an error like the following (emphasis added):

Error: The property 'password' located at '/webServer/appHostConfig[@path='']/location[@path='']/section[@name='system.applicationHost/applicationPools']/applicationPools/add[@name='NameOfAppPool']/process Model' is marked as secure. You must specify an encryption password to archive this property.

Because I'm using IIS 7, the "location" given is an XPath expression referring to the XML element where the secure datum is located. I guessed correctly that the XML file in question was C:\Windows\System32\inetsrv\config\applicationHost.config, and here was the line in question:

<add name="NameOfAppPool" autoStart="true" managedPipelineMode="Integrated">
    <processModel identityType="SpecificUser" userName="IUSR_CUSTOM" password="[enc:IISWASOnlyAesProvider:G0BBLEDYG00K=:enc]" />
</add>

Sure enough, the line contains a password attribute, which I don't want stored in plain text.

How

Here's how you specify an encrypt password for msdeploy:

msdeploy -verb:sync -source:metaKey -dest:archivedir=c:\mydir,encryptPassword=MyPassKey

You can also use -source:archivedir=c:\mydir,encryptPassword=MyPassKey when you need to decrypt the encrypted data.

Caveat

Be careful, though. I noticed that encryptPassword would not accept an arbitrarily password like this: "exfoliate vitalize despair reclining unicycle marbling aim petted". It gives a non-sequitur error message, too:

Error: The provider 'archivedir' does not support the 'encryptPassword=exfoliate vitalize despair reclining unicycle marbling aim petted' setting. Supported settings are (authType, computerName, encryptPassword, includeAcls, password, prefetchPayload, userName, wmsvc).

I think it didn't like the spaces. When I used hyphens instead, it worked. (No, I didn't use this password ;-)