Encrypting the Web.Config File -- Visual Studio Magazine

Encrypting the Web.Config File

If you're concerned about keeping critical information in your Web.config file, then you should encrypt it -- or at least the parts that you're concerned about.

By Peter Vogel
06/11/2009

I love keeping information in my Web.config file's appSettings section; it lets me change the behavior of a Web site just by changing values in a text file. I especially like keeping connection strings in the connectionStrings element (it lets me ensure that I keep the number of connection strings to a minimum, which enhances connection pooling performance).

My clients don't always agree with me about storing data in the config file. To be more specific, my clients are concerned about keeping sensitive information (like connectionStrings) in a text file. I tell my clients that if people can pull text files off their Web server, then they have problems that even I can't solve.

My clients don't find that a compelling argument.

And, to be honest, they have a point. A sizeable percentage of security breaches are made by people inside an organization -- people the Web site may not protect itself from. So I suggest to my clients encrypt their web.config file. I skimmed over this topic in an earlier column on managing the Web.config file during deployment ("Managing Web.Config Settings During Deployment"). After a couple of reader questions, I'm finally getting around to discussing the topic in detail.

Encrypting Sections
This is the code that I use to encrypt a specific section of the Web.config file. I first select a section using the Configuration object's Sections collection. In this case, I'm selecting the connectionStrings section:

Dim configFile As System.Configuration.Configuration 
Dim configSection As ConfigurationSection 

configFile = System.Web.Configuration.WebConfigurationManager. _
                                   OpenWebConfiguration(Request.ApplicationPath)
configSection = configFile.Sections("connectionStrings")

This code assumes that it's running from a page on the site so I can use the ApplicationPath property on the Request object to get the physical path to the web.config's folder. If you wanted to create a utility, you'd need to hard code the path you pass to the OpenWebConfiguration method.

Now that I have the section, I encrypt it, specifying the encryption scheme that I want to use. The last step is to save the encrypted version back to the config file:

configSection.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider")
configFile.Save()

The result looks like this in the Web.config file:

<connectionStrings 
     configProtectionProvider="DataProtectionConfigurationProvider">
      <EncryptedData>
         <CipherData>
            <CipherValue>...encrypted data... </CipherValue>
         </CipherData>
      </EncryptedData>
</connectionStrings>

The good news is that when you use the ConfigurationManager's ConnectionString collection to retrieve an encrypted connection string, the connection string is automatically decrypted for you. This code works whether the connectionStrings section is encrypted or not:

Dim cnStr As String
cnStr = System.Web.Configuration.WebConfigurationManager. _
          ConnectionStrings("Northwind").ConnectionString

Since the strings are encrypted using the private key for the Web server, even if the file is stolen from the site, it can't be decrypted on any machine except the Web server. This also means that you can't encrypt the connection string until the application has been moved to the production server: If you encrypt the connection string on the test server and then move your site to the production server, ASP.NET won't be able to decrypt the string using the production server's private key.

On occasion, you'll need to decrypt the web.config section just to check what's actually in the file. This code takes care of that job:

Dim configFile As System.Configuration.Configuration 
Dim configSection As ConfigurationSection 
 
configFile = System.Web.Configuration.WebConfigurationManager. _
                                   OpenWebConfiguration(Request.ApplicationPath)
configSection = configFile.Sections("connectionStrings")
configSection.SectionInformation.UnProtectSection()
configFile.Save()

Command Line Encryption
If you'd prefer not to use code, you encrypt (or decrypt) sections of your web.config file using the aspnet_regiis utility. You must pass the utility the -pe parameter to specify the section to encrypt along with the path name to the config file's folder, and you must also pass the -prov parameter to specify the encryption scheme:

aspnet_regiis.exe -pef section physical_directory -prov provider

This example encrypts the configurationStrings section for a config file in the c:\NorthwindCRM folder:

aspnet_regiis.exe -pef configurationStrings c:\NorthwindCRM 
      -prov "RsaProtectedConfigurationProvider"

You can also use aspnet_regiis utility to decrypt the section using the -pdf parameter instead of -pef.

Or you could just make sure that no one can steal text files from your Web server.

About the Author

Peter Vogel is a system architect and principal in PH&V Information Services. PH&V provides full-stack consulting from UX design through object modeling to database design. Peter tweets about his VSM columns with the hashtag #vogelarticles. His blog posts on user experience design can be found at http://blog.learningtree.com/tag/ui/.

Printable Format

comments powered by Disqus

Featured

Creating Reactive Applications in .NET

In modern applications, data is being retrieved in asynchronous, real-time streams, as traditional pull requests where the clients asks for data from the server are becoming a thing of the past.
AI for GitHub Collaboration? Maybe Not So Much

No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.
Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.
.NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.
Data Anomaly Detection Using a Neural Autoencoder with C#

Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

Subscribe on YouTube

.NET Insight

Email Address*Country*

Please type the letters/numbers you see above.

Upcoming Training Events

0 AM

Visual Studio Live! Chicago
April 29-May 3, 2024

VSLive! 2-Day Training Seminar: Building Cloud-Ready, Resilient Systems in .NET
June 4-5, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
July 16-19, 2024

Visual Studio Live! Microsoft HQ
August 5-9, 2024

Live! 360 2-Day Hands-On Seminar: Swimming in the Lakes of Microsoft Fabric and AI - A Hands-on Experience
August 20-21, 2024

VSLive! 4-Day Hands-On Training Seminar: Hands-on with Blazor
September 17-20, 2024

VSLive! 2-Day Hands-On Training Seminar: Developing Secure ASP.NET Web Apps
September 24-25, 2024

Live! 360 Orlando
November 17-22, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
December 10-13, 2024

Free Webcasts

> More Webcasts