Software Developer, Technology Enthusiast, Husband and Dad based in Melbourne.

Encrypting ASP.NET appSettings Web.Config File

It is recommended to encrypt the AppSettings key in the ASP.NET Web.Config file for security reason. The simplest method is using aspnet_regiis.exe command-line utility; this command-line utility is available from .NET 2 Framework or higher, for this blog I will be using .NET Framework 4.0.

aspnet_regiis.exe

The location of aspnet_regiis.exe command-line utility is:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Encryption

To encrypt the appSettings key at the command-line:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe –pef appSettings “c:\project\directory” -prov “DataProtectionConfigurationProvider”

  1. Specify the full path to aspnet_regiis.exe command-line utility
  2. Use -pef appSettings to set the appSettings key
  3. Use -prov “DataProtectionConfigurationProvider”

.NET Framework 4.0 has two built-in providers for encrypting the appSettings key in ASP.NET Web.Config file:

  • DataProtectionConfigurationProvider Windows data protection API (DPAPI)
  • RSAProtectedConfigurationProvider RSA encryption

The simplest provider to use is the DataProtectionConfigurationProvider, there are no RSA keys to be created and setup, with the DataProtectionConfigurationProvider it’s server -specific.

When copying the Web.Config file from your development environment, encrypt the appSettings key on the server using DataProtectionConfigurationProvider provider otherwise the appSettings key will not be decrypted correctly.

The RSAProtectedConfigurationProvider RSA encryption, the RSA keys can be copied from development environment to server without change.

Decryption

To decrypt the appSettings key at the command-line:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pdf appSettings “c:\project\directory ”

  1. Specify the full path to aspnet_regiis.exe command-line utility
  2. Use –pdf appSettings to set the appSettings key

C# Example reading appSettings Key

With this example the appSettings key is read and decrypted automatically:

using System.Configuration;
using System.Web.Configuration;

private void EncryptAppSettings()        {
           Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(
                  Request.ApplicationPath);
           AppSettingsSection objAppsettings =
            (AppSettingsSection)objConfig.GetSection("appSettings");
          if (!objAppsettings.SectionInformation.IsProtected)
            {
            objAppsettings.SectionInformation.ProtectSection
                            ("DataProtectionConfigurationProvider");
                  objAppsettings.SectionInformation.ForceSave = true;
                 objConfig.Save(ConfigurationSaveMode.Modified);
            }
        }

Links

ASP.NET IIS Registration Tool (Aspnet_regiis.exe)
http://msdn.microsoft.com/en-us/library/k6h9cz8h%28v=vs.100%29.aspx

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn.microsoft.com/en-us/library/ff647398.aspx

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://msdn.microsoft.com/en-us/library/ms998283.aspx

DpapiProtectedConfigurationProvider Class
http://msdn.microsoft.com/en-us/library/system.configuration.dpapiprotectedconfigurationprovider%28v=vs.100%29.aspx

RsaProtectedConfigurationProvider Class
http://msdn.microsoft.com/en-us/library/system.configuration.rsaprotectedconfigurationprovider%28v=vs.100%29.aspx

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>