Encrypting Web.Config

Encrypting Web.Config

I believe there are two ways of doing this:

using aspnet_regiis using DPAPI or RSA, or doing it programmatically.

The programmatic way can be handy, particularly if you also like to encrypt app.config.

From my experiences of using this, if you write a custom configuration section, you have install the DLL containing the classes for that section into the GAC. For a project I was working I basically scripted the following approach:

  • Copy config DLL to GAC.
  • Perform encryption.
  • Remove config DLL from GAC.

Chances are if you are just encrypting connection strings then this won't be a problem. You also need to be bear in mind whether you want to encrypt on a machine wide basis or to a specific user account- both options can be useful depending on your scenario. For simplicity I stuck to machine wide encryption. The links I have provided explain the merits of both approaches.

Encrypt the connection String in ASP.NET Web Config

You can run directly through the location

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "ProConnection" -app "/NewTestAPI" -prov "RsaProtectedConfigurationProvider"

Is it possible to encrypt a config file specified as a configSource from web.config?

This was because of the type I was using to define my config section. Although there are no docs to prove it, it appears that the NameValueSectionHandler type does not encrypt when used for a config source. The solution was to change the type to System.Configuration.AppSettingsSection and the encryption works correctly

Encrypt the web.config file

When running aspnet_regiis, you need to indicate the name of the node you want to encrypt. You cannot select what you want to encrypt by an attribute value. Basically, change

aspnet_regiis -pef ProvantisDataConnection

to

aspnet_regiis -pef connectionStrings

ASP.Net MVC5:How to encrypt decrypt connection string in web.config

I don't know how sensitive your data is, but I suppose you could try the following:

  1. Encrypt the connectionString manually first (for instance, with AES(Rijndael)).
  2. Paste the encrypted string in your web.config.

  3. Decrypt the string in your code, using something like this

    private string getConnectionString()
    {
        string encrypted = System.Configuration.
              ConfigurationManager.AppSettings["connectionString"];

        //Rijndael or any other form of decryption here...
        //.....
        //.....

        return decryptedString;
    }

  4. Use the decrypted connectionString to connect to your database! :)


Related Topics

Why C# Won't Allow Field Initializer with Non-Static Fields

Simple Automapper Example

Linq Query Group by and Selecting First Items

Where in (Array of Ids)

How to Intercept Console Output

C# ASP.NET Write File to Client

How to Asynchronously Read the Standard Output Stream and Standard Error Stream at Once

The Entity or Complex Type ' ' Cannot Be Constructed in a Linq to Entities Query

The Limitation on the Size of .Net Array

How to Convert Date Format to Dd-Mm-Yyyy in C#

C#: Detecting Which Application Has Focus

How to Test Smtpclient Before Calling Client.Send()

Why Can't We Assign a Foreach Iteration Variable, Whereas We Can Completely Modify It with an Accessor

Overload Resolution and Virtual Methods

Creating an Anonymous Type Dynamically

How to Output Unicode String to Rtf (Using C#)

Monitor a Process's Network Usage

Data Binding Directly to a Store Query (Dbset, Dbquery, Dbsqlquery) Is Not Supported


Leave a reply



Submit