Encrypting Web.Config

c# .net asp.net encryption web-config

53,511

Solution 1

I believe there are two ways of doing this:

using aspnet_regiis using DPAPI or RSA, or doing it programmatically.

The programmatic way can be handy, particularly if you also like to encrypt app.config.

From my experiences of using this, if you write a custom configuration section, you have install the DLL containing the classes for that section into the GAC. For a project I was working I basically scripted the following approach:

Copy config DLL to GAC.
Perform encryption.
Remove config DLL from GAC.

Chances are if you are just encrypting connection strings then this won't be a problem. You also need to be bear in mind whether you want to encrypt on a machine wide basis or to a specific user account- both options can be useful depending on your scenario. For simplicity I stuck to machine wide encryption. The links I have provided explain the merits of both approaches.

Solution 2

Here are the commands to encrypt web.config file without any programming...

For encryption

aspnet_regiis -pef "Section" "Path exluding web.config"

For Decryption

aspnet_regiis -pdf "Section" "Path exluding web.config"

From this commands you can encrypt or decrypt all the section.

Solution 3

Have you tried this: http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx

Solution 4

You should start from here, easy to follow, well explained step-by-step guide in MSDN: How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Solution 5

Use the aspnet_regiis tool in your framework directory:

                                        -- CONFIGURATION ENCRYPTION OPTIONS --

pe section            Encrypt the configuration section. Optional arguments:
                      [-prov provider] Use this provider to encrypt.
                      [-app virtual-path] Encrypt at this virtual path. Virtual path must begin with a forward slash.
                      If it is '/', then it refers to the root of the site. If -app is not specified, the root
                      web.config will be encrypted.
                      [-site site-name-or-ID] The site of the virtual path specified in -app. If not specified, the
                      default web site will be used.
                      [-location sub-path] Location sub path.
                      [-pkm] Encrypt/decrypt the machine.config instead of web.config.

pd section            Decrypt the configuration section. Optional arguments:
                      [-app virtual-path] Decrypt at this virtual path. Virtual path must begin with a forward slash.
                      If it is '/', then it refers to the root of the site. If -app is not specified, the root
                      web.config will be decrypted.
                      [-site site-name-or-ID] The site of the virtual path specified in -app. If not specified, the
                      default web site will be used.
                      [-location sub-path] Location sub path.
                      [-pkm] Encrypt/decrypt the machine.config instead of web.config.

View more solutions

53,511

TheVillageIdiot

Working as a senior software developer with fin-tech startup.

Updated on July 09, 2022

Comments

TheVillageIdiot almost 2 years

Duplicate of Encrypting config files for deployment .NET and Encrypting config files for deployment

What is the best approach and tools for encrypting information in web.config file?
- Henk Holterman almost 15 years
  
  @Zeus, true, but the first two in the 'Related' box will do.
Ganesh R. almost 15 years

The blog mentions that IIS manager allows one to edit encrypted sections. But IIS 7 onwards this is not true. The runtime can decrypt the encrypted web.config but not the IIS manager
TheVillageIdiot almost 15 years

Yes @Richard making it machine wide makes more easy!
TheVillageIdiot almost 15 years

Thanks @irwin very nice resource for further studying the problem.
user2444499 over 10 years

Don't put a trailing "\" on the end of the path either. It didn't work for me until I removed that.
Haminteu over 9 years

Hi RichardOD, my question is.. If doing it programmatically. When do I need to encrypt and decrypt the webconfig file? Check my post on this link --> stackoverflow.com/questions/25614737/encrypt-decrypt-web-con‌fig
markthewizard1234 almost 8 years

What is the point of doing this? Anyone can easily decrypt the connection strings just as easily as we can encrypt it.
marsze about 7 years

@markthewizard1234 They keys used for encryption are machine-specific. So you would not be able to encrypt it unless you have access to the server. See codeproject.com/Tips/795135/… (paragraph Questions & Answers)
marsze about 7 years

And make sure to run with admin privileges.
Irfan Yusanif over 4 years

Where to run this command, when I start cmd as administrator and run command it says 'aspnet_regiis' is not recognized as an internal or external command, operable program or batch file. And when I go to the path C:\Windows\Microsoft.NET\Framework\v4.0.30319 and open file aspnet_regiis.exe it auto closes. How can I run this command?
Icad almost 3 years

You can find the aspnet_regiis.exe at C:\Windows\Microsoft.NET\Framework64\v4.0.30319. Execute the aspnet_regis.exe inside of the windows command prompt (cmd). You might use "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regi‌is.exe" -pdf "Section" "Path exluding web.config"
Tim over 2 years

@markthewizard1234: Anyone who has admin access to the server.