Click here to Skip to main content
Click here to Skip to main content
Go to top

Secutirty at your Hands: Encryption of Configuration file in Whidbey

, 3 Jul 2005
Rate this:
Please Sign up or sign in to vote.
Encryption of configuration file in Whidbey.

Introduction

After my previous article on connectionstrings, I got a lot of feedback to write on encryption techniques available in Visual Studio 2005 commonly known as Whidbey. So here's an article that introduces you to the techniques available to encrypt sections of the web.config file.

By default, ASP.NET 2.0 supports XML encryptions for some of the sections. But there are some other sections like the connection strings etc. which need to be encrypted and kept secure. One of the best things that Microsoft has done even with ASP.NET 1.x is that you can't access the web.config file of any web application in a remote computer, thereby enhancing the security. But Web.config is an XML file and hence text based, and so it can be manipulated by authenticated/unauthenticated users by using different means. Protecting the sections of the web.config file is a problem in ASP.NET 1.x and developers had to write their own utilities to secure the web.config section.

What's there in ASP.NET 2.0

In ASP.NET 2.0, we have a section called ProtectedData which contains two subsections:

  1. Providers
  2. ProtectedDataSections

Providers section holds the name of the protection providers available in ASP.NET. ProtectedDataSection is the section where you can specify the name of the section to be encrypted and also the type of encryption which can be taken from the Providers section.

<protectedData defaultProvider="RSAProtectedConfigurationProvider">
<providers>
<add name="RSAProtectedConfigurationProvider”
type="…”
keyName="RSA Key”
keyContainerName="NetFrameworkConfigurationKey”
cspProviderName="“
useMachineContainer="true” />
<add name="DataProtectionConfigurationProvider”
type="…"
keyName="Net Framework DPAPI Key”
keyEntropy="
useMachineProtection="true” />
</providers>
<protectedDataSections>
………
…….
……
</protectedDataSections>
</protectedData>

This is the way by which you can encrypt most of the sections of Web.Config. Apart from that, you can encrypt the ConnectionString before putting it into the Web.Config file. This can be achieved by using aspnet_regiis.exe.

A simple way to use aspnet_regiis to encrypt connection strings for the MyData application:

aspnet_regiis.exe –pe connectionStrings –app /MyData

On doing this, your ConnectionStrings section will be encrypted and will not look like a clear text any more. For decrypting it, you can use:

aspnet_regiis.exe –pd connectionStrings –app /MyData

You can also add onto the aspnet_regiis.exe tool, you are also free to use any of the third party software to encrypt and decrypt sections of the web.Config.

Happy coding in Whidbey!

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Nishith Pathak
Web Developer
India India
Nishith Pathak is an avid reader,Prolific writer, Speaker for Microsoft India,Published Author of APress and a Microsoft Purist.He is MVP, MCPD, MCTS MCSD.Net,MCAD.Net(EA),MCSD. His proficiency lies in exploring Microsoft technology and to share them with other peers. He is a contributing author and an avid technical reviewer for multiple electronic and print publications. He has recently co-authored a book on WCF called Pro WCF: Microsoft Practical SOA Implementation for APress Inc, USA. Over the years, he has also been involved in providing consultancy and training services to corporations. He has been awarded with Microsoft Most Valuable Professional (MVP).Working since beta version of .Net makes his competecy in .Net. He can be contacted at NisPathak@Hotmail.com or at his blog http://DotNetPathak.Blogspot.com. Currently he is focused on key areas of the Microsoft platform, specifically Distributed Computing, service orientation and exploring VISTA and help companies architecting solutions based on Service Oriented Architecture.

Comments and Discussions

 
GeneralOk...but, in hosting environment Pinmembereevmq197427-Jun-07 9:57 
GeneralNice way to protect web.config data PinmemberShaikh Babu19-Dec-06 0:54 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140916.1 | Last Updated 4 Jul 2005
Article Copyright 2005 by Nishith Pathak
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid