Programmatically encrypting a config-file in .NET
To summarize the answers and what I've found so far, here are some good links to answer this question:
- Encrypting Configuration Information in ASP.NET 2.0 Applications - 4GuysFromRolla.com
- How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI - MSDN
Please feel free to complement with other links, maybe some to WinForms- or WPF-applications.
Encrypt Web.Config Programmatically in Global.asax
As Dbugger mentioned in the comments the solution is
WebConfigurationManager.OpenWebConfiguration("~"); – dbugger
Encrypting app.config File
You cannot encrypt the entire <system.serviceModel> - it's a configuration section group, which contains configuration sections.
The aspnet_regiis will only encrypt configuration sections - so you need to selectively encrypt those parts you need, like this:
cd C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
aspnet_regiis.exe -pef "system.serviceModel/bindings" .
aspnet_regiis.exe -pef "system.serviceModel/services" .
etc.
With this, you can encrypt what you need easily - what isn't too important, can be left in clear text.
Word of warning: since it's aspnet_regiis, it expects to be dealing with a web.config file - copy your app.config to a location and call it web.config, encrypt your sections, and copy those encrypted sections back into your own app.config.
Or write your own config section encrypter/decrypter - it's really just a few lines of code! Or use mine - I wrote a small ConfigSectionCrypt utility, come grab it off my OneDrive - with full source (C# - .NET 3.5 - Visual Studio 2008). It allows you to encrypt and decrypt sections from any config file - just specify the file name on the command line.
Encrypting web.config sections
From the MSDN docs, it's clear that one can encrypt and decrypt a web.config section using the Aspnet_regiis.exe tool with the –pe option and the name of the configuration element to be encrypted as long as the section is not one of these ones:
The following is a list of
configuration sections that cannot be encrypted using protected
configuration: processModel, runtime, mscorlib, startup,
system.runtime.remoting, configProtectedData, satelliteassemblies,
cryptographySettings, cryptoNameMapping, and cryptoClasses. It is
recommended that you use other means of encrypting sensitive
information, such as the ASP.NET Set Registry console application
(Aspnet_setreg.exe) tool, to protect sensitive information in these
configuration sections.
Here's what you need to encrypt all other possible sections:
Encrypting and Decrypting Configuration Sections
Walkthrough: Encrypting Configuration Information Using Protected Configuration
Encrypt connection string in app.config
Have a look at This Article it has some very useful examples. You're basically looking for System.Configuration.SectionInformation.ProtectSection to help you out here.
Also have a peek at Implementing Protected Configuration
Encrypted configuration in ASP.NET Core
User secrets looks like a good solution for storing passwords, and, generally, application secrets, at least during development.
Check the official Microsoft documentation. You can also review this other SO question.
This is just a way to "hide" your secrets during development process and to avoid disclosing them into the source tree; the Secret Manager tool does not encrypt the stored secrets and should not be treated as a trusted store.
If you want to bring an encrypted appsettings.json to production, you can do so by building a custom configuration provider.
For example:
public class CustomConfigProvider : ConfigurationProvider, IConfigurationSource
{
public CustomConfigProvider()
{
}
public override void Load()
{
Data = UnencryptMyConfiguration();
}
private IDictionary<string, string> UnencryptMyConfiguration()
{
// do whatever you need to do here, for example load the file and unencrypt key by key
//Like:
var configValues = new Dictionary<string, string>
{
{"key1", "unencryptedValue1"},
{"key2", "unencryptedValue2"}
};
return configValues;
}
private IDictionary<string, string> CreateAndSaveDefaultValues(IDictionary<string, string> defaultDictionary)
{
var configValues = new Dictionary<string, string>
{
{"key1", "encryptedValue1"},
{"key2", "encryptedValue2"}
};
return configValues;
}
public IConfigurationProvider Build(IConfigurationBuilder builder)
{
return new CustomConfigProvider();
}
}
Define a static class for your extension method:
public static class CustomConfigProviderExtensions
{
public static IConfigurationBuilder AddEncryptedProvider(this IConfigurationBuilder builder)
{
return builder.Add(new CustomConfigProvider());
}
}
And then you can activate it:
// Set up configuration sources.
var builder = new ConfigurationBuilder()
.AddJsonFile("appsettings.json")
.AddEncryptedProvider()
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
Related Topics
Why Is Addrange Faster Than Using a Foreach Loop
Remove the Title Bar in Windows Forms
ASP.NET MVC - Passing Parameters to the Controller
How to Create a Directory on Ftp Server Using C#
Rx: How to Respond Immediately, and Throttle Subsequent Requests
Translate Perl Regular Expressions to .Net
How to Implement Custom Authentication in ASP.NET MVC 5
Do Interfaces Derive from System.Object? C# Spec Says Yes, Eric Says No, Reality Says No
How to Debug a Single Thread in Visual Studio
How to Do Logging in C# Without Using 3Rd Party Libraries
Cssrewriteurltransform with or Without Virtual Directory
How to Return 401 Instead of 302 in ASP.NET Core