Click here to Skip to main content
14,421,761 members

How to Encrypt Web.config Using aspnet_regiis.exe (Framework 4+) Focus on Web Farms

Rate this:
4.96 (13 votes)
Please Sign up or sign in to vote.
4.96 (13 votes)
17 Feb 2015CPOL
This article provides a basic reference on how basic protection can be achieved using the aspnet_regiis.exe tool, by default installed with .Net Framework, and also some basic considerations when you are working with IIS WebFarms.

Introduction

While web.config file is the preferred store to save basic configuration settings, normally you do not care about sensitive information being exposed on it. Settings such as database connection strings and third party service credentials are usually stored in plain text, exposing them to malicious users. This post provides a basic reference on how basic protection can be achieved using the aspnet_regiis.exe tool, by default installed with .Net Framework, and also some basic considerations when you are working with IIS WebFarms. I will show an example on how use the RSA provider, however there is also the DPAPI provider available which is not covered in this article.

Encryption Providers

What is an encryption provider ? Basically it is a library that gives you the ability to encrypt sensitive data whether coding or using declarative configuration. Each encryption provider has its own pros and cons.

The basic aspnet_regiis.exe’s provider used is RsaProtectedConfigurationProvider, which use the RSA encryption algorithm. (more info (http://en.wikipedia.org/wiki/RSA_%28cryptosystem%29)

Also the DPAPI provider is available, it is installed by default as an operating system built-in component. (more info http://en.wikipedia.org/wiki/Data_Protection_API)

 Using RSA or DPAPI

-prov “RsaProtectedConfigurationProvider”

This method depends on private keys that can be shared among several machines, this makes it the right solution when working with several environments, such as development, testing and production. Also if you have to deal with a web farm having several IIS server’s, probably being synchronized by a DFS (Distributed File System).

-prov “DataProtectionConfigurationProvider”

This method depends on the machine where you originally encrypted the data, for example if machine A encrypts “hello world”, only machine A has the right keys to decrypt it. This result in a non-suitable solution when working with web farms.

Now that you know what is the provider that fits into your environment lets do the job.

Do you remember where aspnet_regiis.exe is located ? sure: C:\Windows\Microsoft.NET\Framework\v4.0.30319

So lets open a command prompt such as “Developer Command Prompt for VS2013″, be sure to have administrative permission. On the server you can use cmd.exe.

Image 1

aspnet_regiis.exe -pef command (Encryption)

This command encrypt a specific section in a specific hard drive location, so for example to encrypt “appSettings” section in site located at “C:\inetpub\wwwroot\app\WebConfigEncryption” run:

aspnet_regiis.exe -pef appSettings  C:\inetpub\wwwroot\app\WebConfigEncryption

Image 2

To encrypt “connectionStrings” section run:

aspnet_regiis.exe -pef connectionStrings  C:\inetpub\wwwroot\app\WebConfigEncryption

Image 3

Important!!! Section names are case sensitive and also be sure to specify the path without “”.

This is the resultant file with both sections encrypted:

Image 4

Image 5

As I said, the RSA provider by default relys on keys that can be shared among several machines, however this is not the default behavior so I can not share a file encrypted on machine A with the machine B. I will receive an error as follows:

Image 6

In the same way, I can not decrypt any data on machine B:

Image 7

In order to share encrypted files among several machines refer to the following section.

Steps Required to Work With WebFarms

While working with single machine environments would not be tricky, WebFarms may require a little more attention. If you had worked with DFS’s (Distribuited File Systems) where the app files are automatically replicated among several machines , including .config files, the basic solution will not be suitable.

Here is where Key Containers appear to save the day.

A key container can be expressed as an xml file with the required key that can be used to encrypt/decrypt the data in several servers. One key container can be used among several applications, however in order to improve the security of an application’s sensitive configuration you can use several key containers, by doing so one’s application key container could not be used to decrypt web.config files encrypted with another key container.

Step 1: Creating an RSA Container

Aspnet_regiis.exe -pc “myApp1SampleKeys” -exp

This command requires 3 arguments:

  1. -pc : I want to create an RSA public/private key container.
  2. “name” : the key container name used in the web.config file.
  3. -exp: allow the container to be exportable.

Image 8

Step 2: Granting Access To An RSA Key Container

aspnet_regiis -pa “myApp1SampleKeys” “NT AUTHORITY\NETWORK SERVICE”

This command requires 3 arguments:

  1. -pa: I want to grant access to my key container.
  2. “name” : the key container’s name.
  3. “account”: account name being granted access. 

Image 9

Step 3: Updating app’s web.config file to specify a customProvider

<configProtectedData>
<providers>
<add name="customProvider"

type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

keyContainerName="myApp1SampleKeys"

useMachineContainer="true" />
</providers>
</configProtectedData>

Be sure to check these two values:

  1. The provider name “customProvider”
  2. The KeyContainerName “myApp1SampleKeys”

Step 4: Encrypting appSection Using Our New CustomProvider

aspnet_regiis.exe -pef appSettings C:\inetpub\wwwroot\app\WebConfigEncryption -prov “customProvider”

Image 10

This will be the result:

Image 11

Step 5: Exporting the Key Container in Order to be Used in Other Machines

aspnet_regiis -px “myApp1SampleKeys” c:\myApp1SampleKeys.xml -pri

This command requires 4 arguments:

  1. -px: I want to export my key container.
  2. “name” : the key container’s name.
  3. “path”: the path where the xml file will be created.
  4. -pri: also include the private key.

Image 12

Step 6: Importing the Key Container on Another Machine

aspnet_regiis -pi “myApp1SampleKeys” c:\myApp1SampleKeys.xml

This command requires 3 arguments:

  1. -pi: I want to import a key container.
  2. “name” : the key container’s name.
  3. “path”: the path where the xml file will be read.

Image 13

Step 7: Granting Access to Our New RSA Key Container

aspnet_regiis -pa “myApp1SampleKeys” “NT AUTHORITY\NETWORK SERVICE”

Required in order to read the key container.

Step 8: Delete the Xml File From Your Server

Do not let an attacker find the XML with the keys.

aspnet_regiis.exe -pdf command (Decryption)

The last useful command is -pdf which allows us to decrypt any previously encrypted section.

aspnet_regiis.exe -pdf appSettings C:\inetpub\wwwroot\app\WebConfigEncryption

This command requires 3 arguments:

    1. -pdf: I want to decrypt a value.
    2. “name” : the key sections’s name having the encrypted value.
    3. path: the path of the web.config file.

Image 14

Accesing Encrypted Values Within Source Code

Encrypted values can be read at runtime as if they were not encoded, keep in mind that while the application is running encrypted data could be read from memory so you probably would need to use an specialized string such as SecureString Class (https://msdn.microsoft.com/en-us/library/system.security.securestring%28v=vs.110%29.aspx).

Image 15

Overall, keeping as secure as possible the settings contained in a web.config should be one of the main concerns in both release and configuration management policies.

History

2015/02/17 : First Publish

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Rolando CC
Technical Lead
Costa Rica Costa Rica
Software Developer and blogger. { #net #javascript #angularJs #azure c# #mvc #security }

http://www.rolandocr.com

Comments and Discussions

 
QuestionPreventing others from exporting the key and decrypting the config file Pin
Member 1361665010-Jan-18 9:59
MemberMember 1361665010-Jan-18 9:59 
AnswerRe: Preventing others from exporting the key and decrypting the config file Pin
Member 98162129-Apr-19 11:23
MemberMember 98162129-Apr-19 11:23 
AnswerRe: Preventing others from exporting the key and decrypting the config file Pin
Hashan00110-Sep-19 1:45
MemberHashan00110-Sep-19 1:45 
GeneralNot working in Prod Pin
Member 1218117429-Oct-17 21:41
MemberMember 1218117429-Oct-17 21:41 
QuestionFailed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Not enough storage is available to process this command Pin
Member 123064873-Feb-16 19:24
MemberMember 123064873-Feb-16 19:24 
QuestionGreat article Pin
lookitstony10-Sep-15 11:44
Memberlookitstony10-Sep-15 11:44 
QuestionEncryption C# web config fails Pin
Recmach8-Sep-15 22:03
MemberRecmach8-Sep-15 22:03 
AnswerRe: Encryption C# web config fails Pin
lookitstony10-Sep-15 11:40
Memberlookitstony10-Sep-15 11:40 
GeneralRe: Encryption C# web config fails Pin
Recmach10-Sep-15 21:58
MemberRecmach10-Sep-15 21:58 
GeneralRe: Encryption C# web config fails Pin
lookitstony11-Sep-15 7:34
Memberlookitstony11-Sep-15 7:34 
QuestionUse this on aruba Pin
fabal15-Apr-15 3:56
Memberfabal15-Apr-15 3:56 
AnswerRe: Use this on aruba Pin
Rolando CC15-Apr-15 5:09
professionalRolando CC15-Apr-15 5:09 
GeneralRe: Use this on aruba Pin
fabal15-Apr-15 5:40
Memberfabal15-Apr-15 5:40 
GeneralRe: Use this on aruba Pin
Rolando CC15-Apr-15 6:02
professionalRolando CC15-Apr-15 6:02 
GeneralMy vote of 5 Pin
Humayun Kabir Mamun18-Feb-15 22:53
MemberHumayun Kabir Mamun18-Feb-15 22:53 
GeneralRe: My vote of 5 Pin
Rolando CC19-Feb-15 5:29
professionalRolando CC19-Feb-15 5:29 
GeneralRe: My vote of 5 Pin
kulngr19-Dec-17 21:20
Memberkulngr19-Dec-17 21:20 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Tip/Trick
Posted 17 Feb 2015

Stats

109.7K views
23 bookmarked