Encrypt .NET Configuration File

Wayne Ye

Rate me:

4.14/5 (7 votes)

25 Apr 2011CPOL1 min read

36.1K

How to encrypt .NET configuration file

Under some scenarios, developers want to encrypt some sections inside app.config or web.config file. This article How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA describes how to do so clearly, Scott Guthrie also posted one: Encrypting Web.Config Values in ASP.NET 2.0.

However, in the posts above, they use aspnet_regiis.exe and it seems it doesn’t directly support app.config, if we want to encrypt app.config for Windows Form or WPF applications While I tried use it to encrypt my app.config file, it generates a web.config which means my Winform definitely can’t use it, even if I copy the encrypted appSettings section from this generated web.config to my own app.config (ConfigurationManager.AppSettings[EncryptedKeyName] is null after I did that).

After several minutes of Google search and testing, I found the code below is simple and very straight forward to achieve this:

Configuration config = ConfigurationManager.OpenExeConfiguration(
    ConfigurationUserLevel.None);

SectionInformation appSettingsSecInfo = config.GetSection(
   "appSettings").SectionInformation;
if (!appSettingsSecInfo.IsProtected)
{
    Console.WriteLine("The configuration file has NOT been protected!");

    // Encrypt this section by using security provider 
    // (RsaProtectedConfigurationProvider or DpapiProtectedConfigurationProvider).
    appSettingsSecInfo.ProtectSection("RsaProtectedConfigurationProvider");
    appSettingsSecInfo.ForceSave = true;

    config.Save(ConfigurationSaveMode.Full);
}

This code snippet will do the encryption job and works for both app.config/web.config. Here is the MSDN definition page for SectionInformation.ProtectSection.

References

Overview of Protected Configuration: http://msdn.microsoft.com/en-us/library/hh8x3tas.aspx
RsaProtectedConfigurationProvider Class:
http://msdn.microsoft.com/en-us/library/system.configuration.rsaprotectedconfigurationprovider.aspx
DpapiProtectedConfigurationProvider Class:
http://msdn.microsoft.com/en-us/library/system.configuration.dpapiprotectedconfigurationprovider.aspx

This article was originally posted at http://wayneye.com/Blog/Encrypt-DotNet-Configuration-File

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Wayne Ye

Software Developer (Senior) SAP Labs Shanghai

China

Wayne is a software developer, Tech Lead and also a geek. He has more than 6 years' experience in Web development(server: ASP.NET (MVC), Web Service, IIS; Client: HTML/CSS/JavaScript/jQuery/AJAX), Windows development (Winform, Windows Service, WPF/Silverlight, Win32 API and WMI) and SQL Server. Deep understanding of GOF Design Patterns, S.O.L.i.D principle, MVC, MVVM, Domain Driven Design, SOA, REST and AOP.

Wayne's Geek Life http://WayneYe.com

Infinite passion on programming!

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Encrypt .NET Configuration File

References

License

Comments and Discussions