encrypting web.config failed error

asp.net security iis configuration

27,782

Solution 1

for the command "aspnet_regiis -pef" the path of configuration file is the physical path (Not virtual) and also it is the path of directory/folder where web.config resides. So one should not include the name of file in path e.g.

if your web.config path is at D:\MyConfiguration\web.config then while encrypting/decrypting you will use it as follow:

encrypt:

aspnet_regiis -pef [sectionName] "D:\MyConfiguration"

decrypt:

aspnet_regiis -pdf [sectionName] "D:\MyConfiguration"

Solution 2

I know this is old, but I've just had the same issue and none of the other answers got the problem.

You're not supposed to put the filename in the path, and the file MUST be called web.config. So for your example, if your web.config file is actually in C:\ you would put:

aspnet_regiis -pef "connectionStrings" "C:\"

and your file MUST be called web.config as the tool will only look for that file.

For those people whose file isn't in C:\ you'll need to put the full path to the file (root of the site). You'll also need to cd into the directory containing the aspnet_regiis.exe file or put the full file path for the tool as well:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pef "ConnectionStrings" "C:\Ghron\Projects\Company\trunk\project1\project1"

Also, some of the other answers are valid points - the parameters are case sensitive, so your paths and section names must be in the right case. I wasted about 20 minutes using "ConnectionStrings" instead of "connectionStrings" (lower case c).

Solution 3

The Sections are CASE SENSITIVE.

Do not Add \ at the end of the path (no web.config needed).

You don't need to do it straight on a site; instead, copy the file to any location.

Encrypting:

aspnet_regiis -pef "SECTIONTOENTRYPT" "d:\tempEnCrypt" -prov WhateverProviderYouAreUsing

Decrypting:

aspnet_regiis -pdf "SECTIONTOENTRYPT" "d:\tempEncrypt"

You can use this to encrypt an app.config as well, just rename the file for the encryption/decryption as web.config

Solution 4

Encrypt/Decrypt web.config

source is taken from this link https://mywebanecdotes.com/2016/09/17/encrypting-credentials-in-app-config-for-multiple-machines/
Firstly, if you have App.config, you need to rename to Web.config. And when done rename it back. This is because aspnet_regiis.exe recognize only Web.config file.
Then create a custom attribute SecuredSettings(any name is fine) either in you App.config or Web.config file.

<configuration>
<configSections>
   <section name="SecuredSettings" type="System.Configuration.NameValueSectionHandler" />
 </configSections>
 <SecuredSettings>
      <add key="pwrd" value="password" />
 </SecuredSettings>
 <configProtectedData>
   <providers>
     <add keyContainerName="MyCustomKeys"
              useMachineContainer="true"
              name="MyEncryptionProvider"
              type="System.Configuration.RsaProtectedConfigurationProvider"/>
   </providers>
 </configProtectedData>

</configuration>

In C# you can retrieve these values as you would do it normally. eg:

var attr = ConfigurationManager.GetSection("SecuredSettings") as NameValueCollection;
var value = attr["pwrd"];

The rest is ecrypting or decrypting
Run cmd As Administrator , and locate to C:\Windows\Microsoft.NET\Framework\v4.0.30319
"Create a public/private RSA key pair with a specfic container name. They should also be marked as exportable (otherwise what is the point!)"
aspnet_regiis.exe -pc MyCustomKeys -exp
"Grant permissions for accounts to access the container"
aspnet_regiis.exe -pa MyCustomKeys "NT AUTHORITY\NETWORK SERVICE"
"The following line will now encrypt your section (the pwdr value). The -pef switch is telling the application to look for a web.config file and to use provider that is declared in the beginning (which is using type RsaProtectedConfigurationProvider)"
aspnet_regiis.exe -pef "SecuredSettings" "C:\DEV\ConsoleApp\DEX" -prov MyEncryptionProvider
Export those Keys to another machine (if needed)
aspnet_regiis.exe -px MyCustomKeys keys.xml -pri it will generate keys.xml file in C:\Windows\Microsoft.NET\Framework\v4.0.30319
copy this file and put it in another machine where you would like to use it, to the same location C:\Windows\Microsoft.NET\Framework\v4.0.30319, and run:
aspnet_regiis -pi MyCustomKeys keys.xml
after you can delete the file from both sides.
Don't forget to rename Web.config to App.config, if you did so at the beginning.
TO Decrypt the file:
aspnet_regiis.exe -pdf "SecuredSettings" "C:\DEV\ConsoleApp\DEX"

Solution 5

I was experiencing the same problem and here's what worked for me:

add the aspnet_regiis tool's folder path to your %PATH% variable. This ensures that the tool is accessable from any folder in your command line. See this page for a brief explanation of how to add %PATH% variables: http://geekswithblogs.net/renso/archive/2009/10/21/how-to-set-the-windows-path-in-windows-7.aspx
navigate to your web root folder (don't know if this is necessary but that's where I was navigated when I executed the command)
execute the command with the -pe argument and the -app argument like such:

aspnet_regiis -pe {section to encrypt} -app "{path from root folder to app, like: "/myappname", use quotes}

View more solutions

27,782

alice7

Updated on December 04, 2021

Comments

alice7 over 2 years

I know that ppl have already asked questions regarding encrypting web.config.

im also trying to encrypt my test config file, but im getting this error.

aspnet_regiis -pef "connectionStrings" "C:\encryptedWeb.config" Encrypting configuration section... The configuration for physical path 'C:\EncryptedWeb.config' cannot be opened. Failed!

I just want to know, what could be reasons that it failed.

I got the answer, it was the readonly property of the web.config which was the problem. After I removed the readonly It worked like a charm.
- SteveCav almost 3 years
  
  Try removing the quotes from connectionStrings.
alice7 almost 15 years

I have two questions. First one can we individually test config file which is not a part of any application. And if I have two config files in my IIS, how to choose one of them.
Stuart almost 15 years

Web.config files are employed in a hierarchy, for instance, the root folder will have a web.config, but can be over ridden in sub folders with another web.config. Is that what you were asking?
alice7 almost 15 years

Actually my concern is I don't want to mess up my actual web.config if something goes wrong. SO I created a seperate config file just for testing.So you mean I have to work on my actual config file even if I like it or not.
Stuart almost 15 years

work on the web.config, copy it before you change something you think could break it, name it something different, or save somewhere else
Stuart almost 15 years

Do you use source control for your app?
Iman almost 9 years

even extra backslash in D:\MyConfiguration\ throws an illegal character error
Mifo about 2 years

I love 10 year old answers that still help me! My issue was that I was adding the file name at the end. Also, I am encrypting a config file for a desktop app so I first had to change the file name to Web.config, run the command and then change back.