Encrypt and Decrypt Configuration Sections in ASP.NET 2.0

Announcements

	Try Azure, win a laptop
	Build a VS2010 addin win a Zune
	Monthly Competition

Articles

Platforms, Frameworks & Libraries

Languages

General Programming

Graphics / Design

Development Lifecycle

Services

CodeProject VS2008 Addin

Feature Zones

Product Showcase

WhitePapers / Webcasts

.NET Dev Library

ASP.NET Web Hosting

Advanced Search
Add to IE Search

Discuss

Report

2 votes for this article.

Popularity: 1.02 Rating: 3.40 out of 5

Introduction

The ASP.NET Configuration API provides support for encrypting and decrypting configuration sections in web.config. This feature comes extremely handy when you need to hide sensitive information like passwords. In this article, we will explore how to encrypt and decrypt sections of the web.config.

We can encrypt configuration sections by using two built-in providers: the DPAPI (Windows Data Protection API) Provider or the RSA provider. The RSA provider (default) uses an RSA key which holds public and private keys, where as the DPAPI provider uses a built-in machine-specific key. Let us explore the steps required to encrypt the sections using RSA.

Step 1

Open web.config and add the following sample entries in the file between the configuration tag. You can add a connection string:

string provider = "RSAProtectedConfigurationProvider";
string section = "connectionStrings";
protected void btnEncrypt_Click(object sender, EventArgs e)
{
    try
    {
        Configuration confg = 
          WebConfigurationManager.OpenWebConfiguration (Request.ApplicationPath);
        ConfigurationSection confStrSect = confg.GetSection(section);
        if (confStrSect != null)
        {
            confStrSect.SectionInformation.ProtectSection(provider);
            confg.Save();
        }
   
        Response.Write("Configuration Section " + "" +
            WebConfigurationManager.ConnectionStrings["MyConnString"].ConnectionString + 
            "" + " is automatically decrypted");
    }
    catch (Exception ex)
    {
    }
}

Step 2

After this, open the web.config file and we can see the encrypted data. In the code above, we open the web.config file as a System.Configuration.Configuration object using the specified virtual path. We then call GetSection() to retrieve the specified ConfigurationSection object, in our case connectionStrings. The ConfigurationSection.SectionInformation property gets us the SectionInformation object, and then we finally call the ProtectSection() method on the SectionInformation object to mark the section for protection.

<connectionstrings configprotectionprovider=""RsaProtectedConfigurationProvider"" />
 <encrypteddata xmlns=""http://www.w3.org/2001/04/xmlenc#"" 
       type=""http://www.w3.org/2001/04/xmlenc#Element"" />
   <encryptionmethod algorithm=""http://www.w3.org/2001/04/xmlenc#tripledes-cbc"" />
   <keyinfo xmlns=""http://www.w3.org/2000/09/xmldsig#"" />
    <encryptedkey xmlns=""http://www.w3.org/2001/04/xmlenc#"" />
     <encryptionmethod algorithm=""http://www.w3.org/2001/04/xmlenc#rsa-1_5"" />
     <keyinfo xmlns=""http://www.w3.org/2000/09/xmldsig#"" />
      <keyname />Rsa Key</keyname />
     </keyinfo />
     <cipherdata />
      <ciphervalue />ZehN7B+VXBdJTe1X3NFz9Uz3NqxvjSMmbytLeHGNlZa4
JkkpRkXzphm5sedHeMTk5KZCHxoYrJ4ssJ0OcZnzLxNUrAB9Ie3y8xJVWJ2s0RQ
dmaGk5bSJADE1xKJBuOtDIOi/Ron7qJDWXwllC3v
vmNwgabmJ9RU+RN35TOQpznc=</ciphervalue />
     </cipherdata />
    </encryptedkey />
   </keyinfo />
   <cipherdata />
    <ciphervalue />q2amqNwjeyEbMxF5pZ3XqfboNUJKSml773mPkISGi6uWCWCDPs
0ICClmH1eQYcsI9FlxFvEfyRyRRugqOU2xe+gd3aRZEZ5irpGFB45Fn6M+te7kg
OeTK1gjGEsbeaNjBNwgpcXMh9RiA9xVOvWlLAyJ3u8DsDQ+4JmM/zTUtxer/8Dl
UI7+u8D+9V4b5tWxShp4BToMFdTcefhMb19pGdn+jocGet
WBJirO5CJsLXI=</ciphervalue />
   </cipherdata />
 </encrypteddata />
</connectionstrings />

Decrypting web.config

Similarly, while decrypting the section, we call the UnprotectSection() method of the SectionInformation object.

protected void btnDecrypt_Click(object sender, EventArgs e)
{
    try
    {
        Configuration confg = 
         WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
        ConfigurationSection confStrSect = confg.GetSection(section);
        if (confStrSect != null && confStrSect.SectionInformation.IsProtected)
        {
            confStrSect.SectionInformation.UnprotectSection();
            confg.Save();
        }
    }
    catch (Exception ex)
    {
    }
}

Similar to connection strings, it is possible to encrypt any section in the web.config file.

Good luck .........

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Muthupandiammal

Member

Company:	Acusis Software pvt ltd
Location:	India

Other popular ASP.NET articles:

Multiple File Upload With Progress Bar Using Flash and ASP.NET
How to use Flash to upload multiple files in a medium-trust hosting environment
Exploring Session in ASP.Net
This article describe about session in ASP.Net 2.0 . Different Types of Session , There Configuration . Also describe Session on Web Farm , Load balancer , web garden etc.
CAPTCHA Image
Using CAPTCHA images to prevent automated form submission.
10 ASP.NET Performance and Scalability Secrets
10 easy ways to make ASP.NET and AJAX websites faster, more scalable and support more traffic at lower cost
Paging of Large Resultsets in ASP.NET
An article about optimization and performance testing of MS SQL Server 2000 stored procedures used for paging of large resultsets in ASP.NET