Encrypting app.config File

I have an app.config file that I need to distribute with my application. It was created because of a Service Reference to an ASMX web service I added.

It isn't a huge deal if this file is modified/viewed, but I still would like to make it secure. I already check the hash of the config and make sure it is valid, but I still want an added layer of protection.

Here is my config: http://pastie.org/private/zjdzadnfwrjvwkmlbdsqw

So is there anything in there that I can encrypt or anything?

Solution 1:

You cannot encrypt the entire <system.serviceModel> - it's a configuration section group, which contains configuration sections.

The aspnet_regiis will only encrypt configuration sections - so you need to selectively encrypt those parts you need, like this:

cd C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
aspnet_regiis.exe -pef "system.serviceModel/bindings" .
aspnet_regiis.exe -pef "system.serviceModel/services" .

etc.

With this, you can encrypt what you need easily - what isn't too important, can be left in clear text.

Word of warning: since it's aspnet_regiis, it expects to be dealing with a web.config file - copy your app.config to a location and call it web.config, encrypt your sections, and copy those encrypted sections back into your own app.config.

Or write your own config section encrypter/decrypter - it's really just a few lines of code! Or use mine - I wrote a small ConfigSectionCrypt utility, come grab it off my OneDrive - with full source (C# - .NET 3.5 - Visual Studio 2008). It allows you to encrypt and decrypt sections from any config file - just specify the file name on the command line.

Solution 2:

You can encrypt sections of an App.Config or Web.Config, there's a heap of blog entries which cover this in detail:

http://www.codeproject.com/KB/dotnet/EncryptingTheAppConfig.aspx

http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx

http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

http://odetocode.com/blogs/scott/archive/2006/01/08/encrypting-custom-configuration-sections.aspx

Here's the MSDN version: http://msdn.microsoft.com/en-us/library/89211k9b%28VS.80%29.aspx

Here's one for how to encrypt via code: http://davidhayden.com/blog/dave/archive/2006/03/14/2883.aspx

Solution 3:

I use the following to encrypt my connection strings in web.config, why not use the same for yourself. I am not sure though.

To Encrypt:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" "\myWebSitePath"

To Decrypt:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" "\myWebsitePath" 

Put them in bat files so you can encrypt or decrypt on the fly.

Solution 4:

You must set a reference to System.Configuration.dll in your project for the code to run.

ExeConfigurationFileMap configFileMap = new ExeConfigurationFileMap();
                configFileMap.ExeConfigFilename = exeConfigName;
                System.Configuration.Configuration myConfig = ConfigurationManager.OpenMappedExeConfiguration(configFileMap, ConfigurationUserLevel.None);

                ConnectionStringsSection section = myConfig.GetSection("connectionStrings") as ConnectionStringsSection;

                if (section.SectionInformation.IsProtected)
                {
                    // Remove encryption.
                    section.SectionInformation.UnprotectSection();
                }
                else
                {
                    // Encrypt the section.
                    section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
                }

                myConfig.Save();