Recently I got a chance to play around with the Data Protection Application Programming Interface (DPAPI). With .NET 2.0 installed, you can encrypt your Web.config just by using aspnet_regiis.exe on the command line.
aspnet_regiis.exe -pe "connectionStrings" -app “/YourWebSite” –prov "DataProtectionConfigurationProvider"
You can read the ConnectionStrings section back using ConfigurationManager as if the file is not encrypted. That is all you have to do, the encryption is transparent to your application.
This encryption works great for Web.config, however, it does not work if you want to encrypt the App.config for non web based applications. The aspnet_regiis is hardcoded to look for Web.config.
One can programatically encrypt just as easily:
Configuration configuration = ConfigurationManager.OpenExeConfiguration(appConfig);
ConfigurationSection section = this.configuration.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected) {
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
section.SectionInformation.ForceSave = true;
configuration.Save(ConfigurationSaveMode.Modified);
}
To decrypt just do the oposite:
if (section.SectionInformation.IsProtected) {
// …
section.SectionInformation.UnprotectSection();
// …
}
The same code above can work for Web.config and App.config. For Web.config I would use WebConfigurationManager.OpenWebConfiguration(webConfig). For our environment we have a web project and some winform projects, so it is easier for us to create a simple tool to maintain both configuration file types.