Click here to Skip to main content
13,252,362 members (63,942 online)
Click here to Skip to main content
Add your own
alternative version


23 bookmarked
Posted 14 Apr 2007

Encrypt sensitive information in web.config file

, 14 Apr 2007
Rate this:
Please Sign up or sign in to vote.
Encrypt sensitive information in web.config file


Certain sections of web.config file can be encrypted using "Protected Configuration" technique. In our current application, we shall be encrypting the database connection string stored in clear text format.

Implementation guidelines: Deployment Phase

  1. The application should be hosted in the local IIS (Production system). In the current case, the application name is TestEncrypt. The application is developed in ASP.NET 2.0.
  2. Create a web.config file and use the Configuration section to specify the connection string. The connection string should be added using a Add section:
        <add name="ConnectionString " connectionString="Data Source=;
            Initial Catalog=TestDatabase;User ID=sa; password=TestPassword"
          providerName="System.Data.SqlClient" /></connectionStrings>
  3. To encrypt the "ConnectionStrings" section, use the following command at the command line prompt:
    aspnet_regiis -pe "connectionStrings" -app "/TestEncrypt"
  4. Once encryption is successful, the web.config file will look like:
      <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
        <EncryptedData Type=""
          <EncryptionMethod Algorithm="" />
          <KeyInfo xmlns="">
            <EncryptedKey xmlns="">
              <EncryptionMethod Algorithm="" />
              <KeyInfo xmlns="">
                <KeyName>Rsa Key</KeyName>
  5. Provide access to the user account under which ASP.NET is running. By default, on Windows Server 2003 with impersonation for an ASP.NET application disabled in the Web.config file, the identity under which the application runs is the NETWORK SERVICE account. On other versions of Windows, ASP.NET runs under the local ASPNET account (MACHINENAME\ASPNET). Use the following code snippet(in C#) to find out the value of current user account:
    <% Response.Write(System.Security.Principal.
                    WindowsIdentity.GetCurrent().Name); %>
  6. At the command prompt, execute the following command to grant permissions to the User Account:
    aspnet_regiis -pa "NetFrameworkConfigurationKey" "<USERACCOUNTINSTEP5>"
  7. To edit encrypted values(for future change), decrypt the connectionStrings using the following command line parameter:
    aspnet_regiis -pd "connectionStrings" -app "/testEncrypt"
  8. Make the necessary changes to the connection string in clear text and repeat step 3 to encrypt the new values.



The same can be done at the development phase by providing an admin utility to encrypt and decrypt the connection string. Refer to the download file at the beginning at the article for the same.


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

United States United States
No Biography provided

You may also be interested in...

Comments and Discussions

Generalask a question Pin
Databinder15-Apr-07 17:45
memberDatabinder15-Apr-07 17:45 
what does this parameter "DataProtectionConfigurationProvider" mean ?
how can i pass a different one ?

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.171114.1 | Last Updated 14 Apr 2007
Article Copyright 2007 by pgindia
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid