When you need to use the same encrypted configuration file on many computers in a Web farm, you must use the System.Configuration.RSAProtectedConfigurationProvider,
which allows you to export the encryption keys used to encrypt the data. The encryption keys can be imported into another server. This is the default setting. A typical
Web.config file might look like the following:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <appSettings/> <connectionStrings>
<add name="ConnectionString"
connectionString="Data Source=.\SQLEXPRESS;
AttachDbFilename=|DataDirectory|\northwnd.mdf;
Integrated Security=True;User Instance=True"
providerName="System.Data.SqlClient" />
</connectionStrings> <system.web> … </system.web> </configuration>
The connectionStrings element can be encrypted by running the Visual Studio 2005 Command Prompt, executing the following command, and specifying the full path to your Web site folder:
aspnet_regiis -pef "connectionStrings" "C:\...\EncryptWebSite"
Note that the –pef switch requires you to pass the physical Web site path, which is the last parameter. Be sure to verify the path to your Web.config file. The encrypted Web.config file will look like the following:
<?xml version="1.0"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"><protectedData> <protectedDataSections>
<add name="connectionStrings"
provider="RsaProtectedConfigurationProvider"
inheritedByChildren="false" />
</protectedDataSections>
</protectedData>
<appSettings/>
<connectionStrings>
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey Recipient=""
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>PPWA1TkWxs2i698Dj07iLUberpFYIj6wBhbmqfmNK/plarau4i1k+xq5bZzB4VJW8 OkhwzcIIdZIXff6INJ1wlZz76ZV1DIbRzbH71t6d/L/qJtuOexXxTi2LrepreK/q3svMLpsJycnDPa t9xaGoaLq4Cg3P19Z1J6HquFILeo=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>Q1re8ntDDv7/dHsvWbnIKdZF6COA1y3S91hmnhUN3nxYfrjSc7FrjEVyJfJhl5EDX 4kXd8ukAjrqwuBNnQbsh1PAXNFDflzB4FF+jyPKP/jm1Q9mDnmiq+NCuo3KpKj8F4vcHbcj+f3GYqq B4pYbblAvYnjPyPrrPmxLNT9KDtDr8pDbtGnKqAfcMnQPvA8l5w3BzPM4a73Vtt2kL/z9QJRu3Svd9 33taxOO/HufRJEnE2/hcBq30WcBmEuXx3LFNjV+xVmuebrInhhxQgM2froBKYxgjwWiWNjIIjIeTI2 FQ8nZ8V8kzAVohmDYkZpCj4NQGdrjD996h97phI6NnHZYZHJ7oPRz</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
<system.web>
… </system.web></configuration>
If changes are made to the connectionStrings section using the GUI tools, the new connection is encrypted, which means that you won’t have to run the aspnet_regiis utility again.
You can decrypt the connectionStrings section by using the following command:
aspnet_regiis -pdf "connectionStrings" "C:\...\EncryptWebSite"
After the connectionStrings section is decrypted, it looks just as it did before it was encrypted.
Submit an article or tip