Encrypting Web.Config Values in ASP.NET 2.0

One of the cool new features in the configuration system with ASP.NET 2.0 is the ability to encrypt any of the values stored within them (note: this works with any configuration section -- including ones you build yourself).  This is obviously important when storing sensitive information like connection strings -- and now enables you to avoid having to roll your own solution.

K Scott Allen posted a super simple example of how to encrypt a section on his blog (spolier: it is a one-line command).

Here are a few other good articles I found on the web that discuss it more as well:

Hope this helps,

Scott

P.S. While I'm mentioning building your own configuration sections, I thought I'd point out this past blog post i did that references Dmitry's cool utility for building your own custom configuration sections + VS 2005 XML intellisense support for them.

Published Monday, January 09, 2006 9:29 AM by ScottGu

Comments

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, January 09, 2006 2:52 PM by yaip
HunterStone had this good web.config editor but unfortunately they have discontinued it. Is there anything out there?

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, January 09, 2006 8:39 PM by scottgu
Hi Yaip,

ASP.NET 2.0 now actually ships with a new MMC property page that surfaces ASP.NET settings inside teh IIS admin tool. Included as part of this is support for editing the connectionstring, provider and appsettings sections (which are some of the most commonly changed values).

Hope this helps,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, January 10, 2006 7:58 AM by Luciano Evaristo Guerche
May we benefit from this feature and use it in a windows form project too? If so, how?

Regards,

Luciano Evaristo Guerche

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, January 10, 2006 8:01 AM by Luciano Evaristo Guerche
If somebody steals web.config and run aspnet_regiis on another machine, does it get web.config in plain text? Or aspnet_regiis uses some salt, the PKI infrastructure or whatelse schema which does not allow decryption on other machines?

Regards,

Luciano Evaristo Guerche

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, January 10, 2006 10:15 AM by scottgu
Hi Luciano,

The encryption is typically combined with a machine key that also needs to be installed on the machine (in a secure location where only admins have access). This means that even if the web.config is stolen, people cannot reverse engineer its values.

Hope this helps,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, January 10, 2006 12:37 PM by scottgu
Hi Luciano,

I just checked with someone on my team and they replied:

Config encryption works with Winforms apps as well. Developers still need to use aspnet_regiis though for command-line configuration of the key containers if they are using RSA encryption.

Regardless of the selected protected config provider (DPAPI or RSA), you can programatically encrypt and decrypt config sections through the config API if you don't want to use the command line tool for this.

Hope this helps,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Friday, February 03, 2006 10:05 PM by john browner
HI, I didn"t know what I was doing and I encrepted my setting, as a result my documents etc: are garbled, how can I undo this situation,??

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, February 06, 2006 12:38 PM by scottgu
Hi John,

Can you send me email (scottgu@microsoft.com) describing the steps you did? I can then help you.

Thanks,

Scott

# Building a DAL using Strongly Typed TableAdapters and DataTables in VS 2005 and ASP.NET 2.0

Friday, June 23, 2006 2:22 AM by ScottGu's Blog
June 22nd 2006 Update: We've now published a whole series of new data tutorials based on this origional...

# Can this be applied to the wse3policyCache.config?

Friday, September 15, 2006 12:18 PM by Mark Quigley
Our web.config references the wse3policyCache.config which contains username and password for the Certs we are using. Obviously it would be good to encrypt this file, but we are not sure if that will work. thoughts?

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, September 19, 2006 12:25 AM by ScottGu

Hi Mark,

I'm not 100% sure how that configuration section is referenced.  If it is referenced using the standard System.Configuration APIs, then you should be able to encrypt its values just fine.

Hope this helps,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, December 18, 2006 6:09 PM by mukund

I have a custom section for my web application that contains

sensitive data. Because of that, I want to have it encrypted in the same way

I encrypt the "connectionStrings" section using the ASPNET_REGIIS tool.

The problem is that I get an error saying that the ASPNET_REGIIS tool can't

find the assembly file that contains my custom section.

My questions are

1         Can  ASPNET_REGIIS  encrypt my custom section?

2         Where does it look for my handler and how to I give reference to it ?

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, December 19, 2006 2:06 PM by ScottGu

Hi Mukund,

I don't know the answer to this off the top of my head - but if you send me an email summarizing the issue I can loop you in with someone who does.

Thanks,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, February 19, 2007 3:58 PM by eladio

i have the same problem with custom section as mukund have.

did you have some progress on that issue?

thanks in advance

eladio@we-can.co.il

# :re Encrypting Web.Config Values in ASP.NET 2.0

Wednesday, March 14, 2007 9:49 AM by :re Encrypting Web.Config Values in ASP.NET 2.0

:re Encrypting Web.Config Values in ASP.NET 2.0

# Top 10 Best Practices for Production ASP.NET Applications

Wednesday, February 13, 2008 12:58 AM by Daptivate > by Kyle Beyer

In no particular order, here are the top ten things I've learned to pay attention to when dealing

# Top 10 Best Practices for Production ASP.NET Applications - Nick Berardi’s Coder Journal

Wednesday, February 13, 2008 7:22 PM by Top 10 Best Practices for Production ASP.NET Applications - Nick Berardi’s Coder Journal

Pingback from  Top 10 Best Practices for Production ASP.NET Applications - Nick Berardi’s Coder Journal

# 发布ASP.NET应用程序时的10个好习惯(转)

Friday, February 15, 2008 5:03 AM by cncxz(虫虫)

【markcxz摘录】这是发布ASP.NET应用程序时值得注意的十点内容(个人归纳,排名不分先后),但愿能给你的开发带来些许助益。欢迎补充新的观点和项目。 Innoparticularor...

# Top 10 Best Practices for Production ASP.NET Applications | Myanmar OpenXteam

Sunday, February 17, 2008 8:42 AM by Top 10 Best Practices for Production ASP.NET Applications | Myanmar OpenXteam

Pingback from  Top 10 Best Practices for Production ASP.NET Applications | Myanmar OpenXteam

# 部署ASP.NET应用到生产环境中时应该遵循的许多最佳实践

Tuesday, February 19, 2008 2:17 AM by 暖手台灯

Innoparticularorder,herearethetoptenthingsI'velearnedtopayattentiontowhendealingwi...

# 10 Tip untuk aplikasi ASP.NET « Ishak On Dotnet [ .NET ]

Tuesday, March 04, 2008 8:18 PM by 10 Tip untuk aplikasi ASP.NET « Ishak On Dotnet [ .NET ]

Pingback from  10 Tip untuk aplikasi ASP.NET « Ishak On Dotnet [ .NET ]

# Mind Gravy » Blog Archive » links for 2008-03-14

Friday, March 14, 2008 8:25 AM by Mind Gravy » Blog Archive » links for 2008-03-14

Pingback from  Mind Gravy  » Blog Archive   » links for 2008-03-14

# Another long post

Tuesday, May 20, 2008 7:32 AM by Gordon's Republic

Top 10 Best Practices for Production ASP.NET Applications 12 Feb , 2008. In no particular order, here