Encrypting appSettings in web.config

security .net encryption web-applications appsettings
  • Encrypting and Decrypting Configuration Sections (ASP.NET) on MSDN
  • Encrypting Web.Config Values in ASP.NET 2.0 on ScottGu's blog
  • Encrypting Custom Configuration Sections on K. Scott Allen's blog

EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.

Sample on codeproject:

Encryption of Connection Strings inside the Web.config in ASP.Net 2.0


While on the first glance it seems to be straightforward, there are a couple of hurdles I encountered.

So I am providing steps that worked fine for me (to encrypt the appSettings section) using the default crypto provider:

Encrypt sections in the web.config:

  1. Open Admin command shell (run as administrator!). The command prompt will be on C: which is assumed for the steps below.
    Further assumed is that the application is deployed on D:\Apps\myApp - replace this by the path you're using in step 3.
  2. cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319", on 32 bit Windows systems use Framework instead of Framework64
  3. cd /D "D:\Apps\myApp"
    Note: The /D switch will change the drive automatically if it is different from your current drive. Here it will change the path and drive, so the current directory will be D:\Apps\myApp afterwards.
  4. c:aspnet_regiis -pef appConfig .

You should see this message:

Microsoft (R) ASP.NET RegIIS version 4.0.30319.0 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Encrypting configuration section... Succeeded!

You can also Decrypt sections in the web.config: These are the same steps, but with option -pdf instead of -pef for aspnet_regiis.

It is also possible to encrypt other sections of your web.config, for example you can encrypt the connection strings section via:

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"

More details about that can be found here.

Note: The encryption above is transparent to your web application, i.e. your web application doesn't recognize that the settings are encrypted.
You can also choose to use non-transparent encryption, for example by using Microsoft's DPAPI or by using AES along with the Framework's AES Class.
How it is done with DPAPI I have described here at Stackoverflow. DPAPI works very similar in a sense that it uses the machine's or user credential's keys. Generally, non-transparent encryption gives you more control, for instance you can add a SALT, or you can use a key based on a user's passphrase. If you want to know more about how to generate a key from a passphrase, look here.

Related

Print list of lists in separate lines
mysql: why comparing a 'string' to 0 gives true?
How to speed up Powershell Get-Childitem over UNC
JSF 2.0 set locale throughout session from browser and programmatically [duplicate]
Exact number of bins in Histogram in R
What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?
How can I fix Chrome to minimize into the Unity launcher?
How can I send SMS from Ubuntu to cell phones?
Synaptics (synclient) no longer loads
VM VirtualBox doesn't allow to enable 64-bit guest on Ubuntu 12.04 and Lenovo G500S
Install newer package version from trusty-backports
Overlay translucent image on desktop / above all windows