Encrypting web.config values

  • Article

Follow these simple steps to encrypt sections of your configuration files

1. Create a custom machine-level RSA key container by running aspnet_regiis.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pc “MyKeys” -exp

§ The -pc option followed by the name of the RSA key container, to create the RSA key pair.

§ The -exp option, to make sure that the key is exportable.

2. Granting Read Access to an RSA Encryption Key. The following command assumes your application is running under the NETWORK SERVICE account.

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pa "MyKeys" "NT AUTHORITY\NETWORK SERVICE"

§ The -pa option followed by the RSA key container name "MyKeys"

§ The identity of your ASP.NET application, as determined in the preceding step

3. Specify a protected data provider that uses the custom key container just created. Add the following <configProtectedData> section to your web.config. Save and close web.config file when done.

<configuration>

  <configSections>

   …

   </configSections>

   <configProtectedData>

      <providers>

         <add name="MyProvider"

              type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration,

                          Version=2.0.0.0, Culture=neutral,

                          PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"

              keyContainerName="MyKeys"

              useMachineContainer="true" />

      </providers>

   </configProtectedData>

   …

</configuration>

4. Provide setting values for the configuration section which you want to encrypt. You can provide settings to standard config sections like connnectionStrings or your own custom section. Following is an example of a custom config section with unencrypted setting values.

<configuration>

  <configSections>

    <section name="SensitiveAccountInfo" type="System.Configuration.SingleTagSectionHandler" />

   </configSections>

   <configProtectedData>

   …

   </configProtectedData>

   <SensitiveAccountInfo domain="tvland" userName="gary" password="watchatalkinboutwillis?" />

</configuration>

5. Encrypt sections of the web.config file

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "SensitiveAccountInfo" "path" -prov “MyProvider”

§ The –pef option:

ú Followed by “SensitiveAccountInfo", to specify which section in web.config file to encrypt.

ú Followed by “path” which is the path to the folder containing the web.config file

§ The –prov option, followed by “MyProvider”, to specify which provider to user to encrypt the data

6. Access decrypted configuration settings by using the following code.

Hashtable acctInfo = (Hashtable) ConfigurationManager.GetSection("SensitiveAccountInfo ");

string domain = (string)acctInfo["domain"];

string userName = (string)acctInfo["userName"];

string password = (string)acctInfo["password"];

Follow these steps to deploy key container and web.config to another server

So your configuration settings are now encrypted and your web application can decrypt the settings. What if you want to deploy the config file to a different server or environment? Follow these steps to export the RSA key container from the current machine and then import it to the next server.

1. Export a custom RSA key container to an XML file

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -px "MyKeys" "c:\keys.xml" -pri

§ The -px option:

ú Followed by "MyKeys", which is the name of the key container that you created earlier

ú Followed by the path of an .xml file to export the key container to.

§ The -pri option made sure that private key information is exported. Otherwise, the exported key information will only encrypt information, not decrypt it.

2. Copy the encrypted web.config file and key container XML file to the new server. The next step assumes you’ve copied the keys.xml file to C:\.

 

3. Import a custom RSA key container from an XML file

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pi "MyKeys" "c:\keys.xml"

§ The -pi option, followed by "MyKeys", which is the name of the exported key container, to import the RSA key container.

§ The path of the .xml file that contains the exported key container

4. Delete the keys.xml file. You’re done with it.

5. Granting Read Access to an RSA Encryption Key. The following command assumes your application is running under the NETWORK SERVICE account.

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pa "MyKeys" "NT AUTHORITY\NETWORK SERVICE"

§ The -pa option followed by the RSA key container name "MyKeys"

§ The identity of your ASP.NET application, as determined in the preceding step

Refer to this MSDN article for more details about the above instructions.