65.9K
CodeProject is changing. Read more.
Home

Secutirty at your Hands: Encryption of Configuration file in Whidbey

starIconstarIcon
emptyStarIcon
starIcon
emptyStarIconemptyStarIcon

2.82/5 (8 votes)

Jul 4, 2005

2 min read

viewsIcon

37949

Encryption of configuration file in Whidbey.

Introduction

After my previous article on connectionstrings, I got a lot of feedback to write on encryption techniques available in Visual Studio 2005 commonly known as Whidbey. So here's an article that introduces you to the techniques available to encrypt sections of the web.config file.

By default, ASP.NET 2.0 supports XML encryptions for some of the sections. But there are some other sections like the connection strings etc. which need to be encrypted and kept secure. One of the best things that Microsoft has done even with ASP.NET 1.x is that you can't access the web.config file of any web application in a remote computer, thereby enhancing the security. But Web.config is an XML file and hence text based, and so it can be manipulated by authenticated/unauthenticated users by using different means. Protecting the sections of the web.config file is a problem in ASP.NET 1.x and developers had to write their own utilities to secure the web.config section.

What's there in ASP.NET 2.0

In ASP.NET 2.0, we have a section called ProtectedData which contains two subsections:

  1. Providers
  2. ProtectedDataSections

Providers section holds the name of the protection providers available in ASP.NET. ProtectedDataSection is the section where you can specify the name of the section to be encrypted and also the type of encryption which can be taken from the Providers section.

<protectedData defaultProvider="RSAProtectedConfigurationProvider">
<providers>
<add name="RSAProtectedConfigurationProvider”
type="…”
keyName="RSA Key”
keyContainerName="NetFrameworkConfigurationKey”
cspProviderName="“
useMachineContainer="true” />
<add name="DataProtectionConfigurationProvider”
type="…"
keyName="Net Framework DPAPI Key”
keyEntropy="“
useMachineProtection="true” />
</providers>
<protectedDataSections>
………
…….
……
</protectedDataSections>
</protectedData>

This is the way by which you can encrypt most of the sections of Web.Config. Apart from that, you can encrypt the ConnectionString before putting it into the Web.Config file. This can be achieved by using aspnet_regiis.exe.

A simple way to use aspnet_regiis to encrypt connection strings for the MyData application:

aspnet_regiis.exe –pe connectionStrings –app /MyData

On doing this, your ConnectionStrings section will be encrypted and will not look like a clear text any more. For decrypting it, you can use:

aspnet_regiis.exe –pd connectionStrings –app /MyData

You can also add onto the aspnet_regiis.exe tool, you are also free to use any of the third party software to encrypt and decrypt sections of the web.Config.

Happy coding in Whidbey!