Geeks With Blogs
Aaron Feng Agile Software Development (XP), Test Driven Development, .NET, etc.....

Recently I got a chance to play around with the Data Protection Application Programming Interface (DPAPI).  With .NET 2.0 installed, you can encrypt your Web.config just by using aspnet_regiis.exe on the command line.

aspnet_regiis.exe -pe "connectionStrings" -app “/YourWebSite” –prov "DataProtectionConfigurationProvider"

You can read the ConnectionStrings section back using ConfigurationManager as if the file is not encrypted.  That is all you have to do, the encryption is transparent to your application.

This encryption works great for Web.config, however, it does not work if you want to encrypt the App.config for non web based applications.  The aspnet_regiis is hardcoded to look for Web.config.

One can programatically encrypt just as easily:

Configuration configuration = ConfigurationManager.OpenExeConfiguration(appConfig);

ConfigurationSection section = this.configuration.GetSection("connectionStrings");

if (!section.SectionInformation.IsProtected) {

section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");

section.SectionInformation.ForceSave = true;

configuration.Save(ConfigurationSaveMode.Modified);

  }

To decrypt just do the oposite:

if (section.SectionInformation.IsProtected) {

// …

section.SectionInformation.UnprotectSection();

// …

}

The same code above can work for Web.config and App.config.  For Web.config I would use  WebConfigurationManager.OpenWebConfiguration(webConfig).  For our environment we have a web project and some winform projects, so it is easier for us to create a simple tool to maintain both configuration file types.

Posted on Sunday, December 10, 2006 9:18 PM .NET | Back to top


Comments on this post: Encrypting Web.config and App.config

# re: Encrypting Web.config and App.config
Requesting Gravatar...
"...
For our environment we have a web project and some winform projects, so it is easier for us to create a simple tool to maintain both configuration file types.
..."

I am looking at doing the same - however in our environment we have a Dev, Test and Prod servers. I am assuming you cant encrypt the App.config section and then simply promote the app to another server and expect it to decrypt? What 'key' (machine/user?) does the ProtectSection method use? I am aware that 'aspnet.regiis.exe' supports exporting of a key for decryption purposes, does DecryptSection also do this?
Left by Sal on Apr 26, 2007 7:56 PM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
Sounds like you want to use RSAProtectedConfigurationProvider instead of DPAPIProtectedConfigurationProvider in order for multiple machines to decrypt the file.

Here is an example of it: http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToEncryptConfigurationSectionsUsingRsaInAspNet20
Left by Aaron Feng on Apr 26, 2007 9:57 PM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
this is from prasad down load
Left by prasad on Jan 02, 2008 3:25 AM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
But could you explain how it works, does it put any key in registry or maby some other way ?
Left by Lesha on Feb 04, 2008 7:20 AM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
Change App.Config to Web.Config and then use aspnet_regiis.exe to encrypt it. Change the Web.Config back to app.config.
Works like magic!
Left by Anon on Apr 04, 2008 12:18 AM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
<script language=javascript>
alert("XXS vulnarability");
</script>
Left by neo on May 28, 2008 1:10 AM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
Wow - renaming it to web.config really does work - I'm impressed that the non-web-app can decrypt it automatically too. Seems silly that they hard coded it to look at web.config...
Left by Sam Schutte on Sep 26, 2008 9:50 AM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
Thank you guys...
It's unbelieveable how easy this is...
Left by Maorino on Dec 02, 2008 3:53 AM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
Many thanks for this tip - "Change App.Config to Web.Config and then use aspnet_regiis.exe to encrypt it. "
Left by boomshanker on May 21, 2009 1:20 PM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
A BIG thanks to 'Anon' for this advice:

"Change App.Config to Web.Config and then use aspnet_regiis.exe to encrypt it."
Left by atconway on Sep 11, 2009 3:39 PM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
Awesome recommendation to change the file from app.config or whatever it is to web.config

Thanks alot
Left by Amir_Iran on Dec 15, 2009 12:25 PM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
Does this technique work if several users (on the same machine) want to read the configuration file? Or can only the user doing the encryption then decrypt it?
Left by Keith Douglas on May 04, 2010 3:51 PM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
Thank you for sharing such good experience.I also like to write such things in own blog. http://www.clothingseries.com gucci jackets for man are best.
Left by Come here on Jun 11, 2010 3:00 AM

# re: Encrypting Web.config and App.config
Requesting Gravatar...
In 2009 he was appointed as Chairman of the National Commission on economic development,Yves Saint Laurent Boots responsible for reform Libya national economic system, but he too much reference to the Western economic model,Yves Saint Laurent Boots as well as Western democracies tend not to get, including Gaddafi's Libya leadership recognition, soon resigned to leave.
Left by Yves Saint Laurent Pumps on Mar 25, 2011 3:45 AM

Your comment:
 (will show your gravatar)
 


Copyright © Aaron Feng | Powered by: GeeksWithBlogs.net | Join free