Encrypting Web.Config Values in ASP.NET 2.0

One of the cool new features in the configuration system with ASP.NET 2.0 is the ability to encrypt any of the values stored within them (note: this works with any configuration section -- including ones you build yourself).  This is obviously important when storing sensitive information like connection strings -- and now enables you to avoid having to roll your own solution.

K Scott Allen posted a super simple example of how to encrypt a section on his blog (spolier: it is a one-line command).

Here are a few other good articles I found on the web that discuss it more as well:

Hope this helps,

Scott

P.S. While I'm mentioning building your own configuration sections, I thought I'd point out this past blog post i did that references Dmitry's cool utility for building your own custom configuration sections + VS 2005 XML intellisense support for them.

13 Comments

  • Hi Yaip,



    ASP.NET 2.0 now actually ships with a new MMC property page that surfaces ASP.NET settings inside teh IIS admin tool. Included as part of this is support for editing the connectionstring, provider and appsettings sections (which are some of the most commonly changed values).



    Hope this helps,



    Scott

  • May we benefit from this feature and use it in a windows form project too? If so, how?



    Regards,



    Luciano Evaristo Guerche

  • If somebody steals web.config and run aspnet_regiis on another machine, does it get web.config in plain text? Or aspnet_regiis uses some salt, the PKI infrastructure or whatelse schema which does not allow decryption on other machines?



    Regards,



    Luciano Evaristo Guerche

  • Hi Luciano,



    The encryption is typically combined with a machine key that also needs to be installed on the machine (in a secure location where only admins have access). This means that even if the web.config is stolen, people cannot reverse engineer its values.



    Hope this helps,



    Scott

  • Hi Luciano,



    I just checked with someone on my team and they replied:



    Config encryption works with Winforms apps as well. Developers still need to use aspnet_regiis though for command-line configuration of the key containers if they are using RSA encryption.



    Regardless of the selected protected config provider (DPAPI or RSA), you can programatically encrypt and decrypt config sections through the config API if you don't want to use the command line tool for this.



    Hope this helps,



    Scott

  • HI, I didn"t know what I was doing and I encrepted my setting, as a result my documents etc: are garbled, how can I undo this situation,??

  • Hi John,



    Can you send me email (scottgu@microsoft.com) describing the steps you did? I can then help you.



    Thanks,



    Scott

  • Our web.config references the wse3policyCache.config which contains username and password for the Certs we are using. Obviously it would be good to encrypt this file, but we are not sure if that will work.

    thoughts?

  • Hi Mark,

    I'm not 100% sure how that configuration section is referenced. If it is referenced using the standard System.Configuration APIs, then you should be able to encrypt its values just fine.

    Hope this helps,

    Scott

  • I have a custom section for my web application that contains

    sensitive data. Because of that, I want to have it encrypted in the same way

    I encrypt the "connectionStrings" section using the ASPNET_REGIIS tool.



    The problem is that I get an error saying that the ASPNET_REGIIS tool can't

    find the assembly file that contains my custom section.



    My questions are

    1 Can ASPNET_REGIIS encrypt my custom section?

    2 Where does it look for my handler and how to I give reference to it ?



  • Hi Mukund,

    I don't know the answer to this off the top of my head - but if you send me an email summarizing the issue I can loop you in with someone who does.

    Thanks,

    Scott

  • i have the same problem with custom section as mukund have.
    did you have some progress on that issue?

    thanks in advance
    eladio@we-can.co.il

  • :re Encrypting Web.Config Values in ASP.NET 2.0

Comments have been disabled for this content.