Encrypting Web.Config Values in ASP.NET 2.0

One of the cool new features in the configuration system with ASP.NET 2.0 is the ability to encrypt any of the values stored within them (note: this works with any configuration section -- including ones you build yourself).  This is obviously important when storing sensitive information like connection strings -- and now enables you to avoid having to roll your own solution.

K Scott Allen posted a super simple example of how to encrypt a section on his blog (spolier: it is a one-line command).

Here are a few other good articles I found on the web that discuss it more as well:

Hope this helps,

Scott

P.S. While I'm mentioning building your own configuration sections, I thought I'd point out this past blog post i did that references Dmitry's cool utility for building your own custom configuration sections + VS 2005 XML intellisense support for them.

Published Monday, January 9, 2006 9:29 AM by ScottGu

Comments

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, January 9, 2006 8:39 PM by scottgu
Hi Yaip,

ASP.NET 2.0 now actually ships with a new MMC property page that surfaces ASP.NET settings inside teh IIS admin tool. Included as part of this is support for editing the connectionstring, provider and appsettings sections (which are some of the most commonly changed values).

Hope this helps,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, January 10, 2006 7:58 AM by Luciano Evaristo Guerche
May we benefit from this feature and use it in a windows form project too? If so, how?

Regards,

Luciano Evaristo Guerche

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, January 10, 2006 8:01 AM by Luciano Evaristo Guerche
If somebody steals web.config and run aspnet_regiis on another machine, does it get web.config in plain text? Or aspnet_regiis uses some salt, the PKI infrastructure or whatelse schema which does not allow decryption on other machines?

Regards,

Luciano Evaristo Guerche

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, January 10, 2006 10:15 AM by scottgu
Hi Luciano,

The encryption is typically combined with a machine key that also needs to be installed on the machine (in a secure location where only admins have access). This means that even if the web.config is stolen, people cannot reverse engineer its values.

Hope this helps,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, January 10, 2006 12:37 PM by scottgu
Hi Luciano,

I just checked with someone on my team and they replied:

Config encryption works with Winforms apps as well. Developers still need to use aspnet_regiis though for command-line configuration of the key containers if they are using RSA encryption.

Regardless of the selected protected config provider (DPAPI or RSA), you can programatically encrypt and decrypt config sections through the config API if you don't want to use the command line tool for this.

Hope this helps,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Friday, February 3, 2006 10:05 PM by john browner
HI, I didn"t know what I was doing and I encrepted my setting, as a result my documents etc: are garbled, how can I undo this situation,??

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, February 6, 2006 12:38 PM by scottgu
Hi John,

Can you send me email (scottgu@microsoft.com) describing the steps you did? I can then help you.

Thanks,

Scott

# Can this be applied to the wse3policyCache.config?

Friday, September 15, 2006 12:18 PM by Mark Quigley
Our web.config references the wse3policyCache.config which contains username and password for the Certs we are using. Obviously it would be good to encrypt this file, but we are not sure if that will work. thoughts?

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, September 19, 2006 12:25 AM by ScottGu

Hi Mark,

I'm not 100% sure how that configuration section is referenced.  If it is referenced using the standard System.Configuration APIs, then you should be able to encrypt its values just fine.

Hope this helps,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, December 18, 2006 6:09 PM by mukund

I have a custom section for my web application that contains

sensitive data. Because of that, I want to have it encrypted in the same way

I encrypt the "connectionStrings" section using the ASPNET_REGIIS tool.

The problem is that I get an error saying that the ASPNET_REGIIS tool can't

find the assembly file that contains my custom section.

My questions are

1         Can  ASPNET_REGIIS  encrypt my custom section?

2         Where does it look for my handler and how to I give reference to it ?

# re: Encrypting Web.Config Values in ASP.NET 2.0

Tuesday, December 19, 2006 2:06 PM by ScottGu

Hi Mukund,

I don't know the answer to this off the top of my head - but if you send me an email summarizing the issue I can loop you in with someone who does.

Thanks,

Scott

# re: Encrypting Web.Config Values in ASP.NET 2.0

Monday, February 19, 2007 3:58 PM by eladio

i have the same problem with custom section as mukund have.

did you have some progress on that issue?

thanks in advance

eladio@we-can.co.il

# :re Encrypting Web.Config Values in ASP.NET 2.0

Wednesday, March 14, 2007 9:49 AM by :re Encrypting Web.Config Values in ASP.NET 2.0

:re Encrypting Web.Config Values in ASP.NET 2.0