Click here to Skip to main content
13,353,124 members (54,222 online)
Click here to Skip to main content
Add your own
alternative version


31 bookmarked
Posted 6 Mar 2011

Securing Configuration Files in ASP.NET

, 7 Mar 2011
Rate this:
Please Sign up or sign in to vote.
Securing configuration files in ASP.NET

The Problem

Majority of .NET applications and web-sites store configuration settings in the .config file. The file is an XML file, and can be easily consumed from any .NET application using System.Configuration library. The file frequently contains sensitive configuration settings such as authentication and authorization.

For instance, database connection string is frequently stored in application settings section as key/value pair:

<add key="MyConnectionString1" value="server=db1;

By default, .config files are stored in plain text and can easily be read by anyone who has access to the server/application.
“So what!”, “Why is that a problem at all?”

Here are a few examples why that can actually be a huge problem.

  1. Many web applications have database servers that reside on a different machine from the web-server. It is done for security reasons and to improve performance. Since anyone who gets access to your web-server will easily read your configuration file, he will get access to your database server. And that might be highly undesirable because the database might contain usernames, e-mails, and other sensitive information.
  2. An application that needs database access is installed on a computer that many people have access to.

Of course, one can hard-code connection strings into the source-code but compiled code, even obfuscated, can easily be decompiled. In addition, changing the connection string can be a hell because application must be recompiled and reinstalled.

The Solution

In this article, I will present three solutions to the problem stated above. I will present a short version of the first two solutions and will present a detailed version of the third one. I will also attach the source code for the third solution.

The First Solution

Encrypt the password before the application is shipped and create a service in your database server that will intercept any login attempt and will decrypt the password. That is probably the most secure solution, but the problem is that this solution is not easy to implement.

The Second Solution

Use protected section mechanism (courtesy of .NET Framework).

static public void ProtectSection()
    // Get the current configuration file.
    System.Configuration.Configuration config =
    // Get the section.
    AppSettingsSection section = (AppSettingsSection)config.GetSection("appSettings");
    // Protect the section.
    // Save the encrypted section.
    section.SectionInformation.ForceSave = true;

This approach can be compared to bringing home the entire orange tree, when you only need a bag of oranges because the entire section will be encrypted.
If that is what you want, here is a good article describing that approach.

The Third Solution (Preferred, By Me)

In this solution, only certain settings of a section are encrypted using DPAPI.
Unfortunately DPAPI is not a flawless solution:

DPAPI is a password-based data protection service. It requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES algorithm, and strong keys, which we'll cover in more detail later. Because DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user's logon password for protection.

Nevertheless, DPAPI offers a reasonably good protection for your sensitive setting.

It is worth noting that DPAPI security is machine specific, meaning that data encrypted on one machine cannot be decrypted on another machine.

Code Walkthrough

Settings to encrypt are specified in the <appSettings> section of the configuration file.

<add key="KeysToEncrypt" value="ValuableKey1,ValuableKey2" />

Where, value is a set of keys to encrypt.

Here are the settings we want to encrypt in this example:

<add key="ValuableKey1" value="Top Secret 1" />
<add key="ValuableKey2" value="Top Secret 2" />

Since DPAPI security is machine specific, we will need to encrypt the configuration file on the machine that it will run from (web-server, for web applications).


ConfigEncryptToFile method encrypts keys specified in “KeysToEncrypt” and updates the configuration file:

public static void ConfigEncryptToFile()
    string encrypted = ConfigurationManager.AppSettings.Get("Encrypted");
    if (encrypted == null || !encrypted.Equals("True"))
        string keysToEncrypt = ConfigurationManager.AppSettings.Get("KeysToEncrypt");
        if (keysToEncrypt != null && keysToEncrypt.Length > 0)
            Configuration config = 
            AppSettingsSection appSettings = config.AppSettings;
            string[] keys = keysToEncrypt.Split(',');
            foreach (string key in keys)
                KeyValueConfigurationElement kv = appSettings.Settings[key];
                if (kv != null)
                    kv.Value = EncryptUtility.EncryptString
            appSettings.Settings.Add("Encrypted", "True");

ConfigDecryptToMemory reloads the configuration file and decrypts the keys:

public static void ConfigDecryptToMemory()
    string encrypted = ConfigurationManager.AppSettings.Get("Encrypted");
    if (encrypted != null && encrypted.Equals("True"))
        string keysToDecrypt = ConfigurationManager.AppSettings.Get("KeysToEncrypt");
        string[] keys = keysToDecrypt.Split(',');
        foreach (string key in keys)
            string value = ConfigurationManager.AppSettings.Get(key);
            value = EncryptUtility.ToInsecureString
            ConfigurationManager.AppSettings.Set(key, value);

It is important to note that if we are really paranoiac about security, it is better to decrypt encrypted keys only when we actually use them, and keep them as SecureStrings in memory.

It is also worth noting that EncryptUtility class contains entropy and security can further be improved by generating a pseudo-random “entropy”.

EncryptUtility methods were written by Jon Galloway.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Sei Flavius
Engineer @ Curbsidr
United States United States
Check our technical blog for more tips and articles @

You may also be interested in...


Comments and Discussions

QuestionKeep comments Pin
Member 1035020613-Dec-13 4:51
memberMember 1035020613-Dec-13 4:51 
QuestionMy vote of 5 Pin
Björn Ranft4-Mar-12 5:32
memberBjörn Ranft4-Mar-12 5:32 
AnswerRe: My vote of 5 Pin
Andrey Tabachnik28-Jun-12 13:35
memberAndrey Tabachnik28-Jun-12 13:35 
GeneralMy vote of 5 Pin
Filip D'haene26-May-11 10:22
memberFilip D'haene26-May-11 10:22 
GeneralRe: My vote of 5 Pin
Andrey Tabachnik10-Sep-11 15:03
memberAndrey Tabachnik10-Sep-11 15:03 
GeneralMy vote of 5 Pin
Patrick Kalkman14-Mar-11 22:36
memberPatrick Kalkman14-Mar-11 22:36 
Nice solution, thanks for sharing it.
GeneralRe: My vote of 5 Pin
Andrey Tabachnik23-Mar-11 22:06
memberAndrey Tabachnik23-Mar-11 22:06 
GeneralXDP Pin
daves_0513-Mar-11 6:06
memberdaves_0513-Mar-11 6:06 
GeneralRe: XDP Pin
Andrey Tabachnik13-Mar-11 18:24
memberAndrey Tabachnik13-Mar-11 18:24 
GeneralMy vote of 5 Pin
easey8-Mar-11 3:22
membereasey8-Mar-11 3:22 
GeneralMy vote of 5 Pin
jawed.ace7-Mar-11 23:43
memberjawed.ace7-Mar-11 23:43 
GeneralRe: My vote of 5 Pin
Andrey Tabachnik8-Mar-11 8:43
memberAndrey Tabachnik8-Mar-11 8:43 
GeneralUse Windows Authentication Pin
Reaboi Artur7-Mar-11 19:11
memberReaboi Artur7-Mar-11 19:11 
GeneralRe: Use Windows Authentication Pin
Andrey Tabachnik7-Mar-11 20:22
memberAndrey Tabachnik7-Mar-11 20:22 
GeneralRe: Use Windows Authentication Pin
Reaboi Artur13-Mar-11 5:58
memberReaboi Artur13-Mar-11 5:58 
GeneralMy vote of 5 Pin
DrABELL7-Mar-11 10:48
memberDrABELL7-Mar-11 10:48 
GeneralRe: My vote of 5 Pin
Andrey Tabachnik7-Mar-11 15:42
memberAndrey Tabachnik7-Mar-11 15:42 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.180111.1 | Last Updated 8 Mar 2011
Article Copyright 2011 by Sei Flavius
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid