Implementing a Protected Configuration Provider

Protected configuration enables you to encrypt sections of an ASP.NET application's Web.config file in order to protect sensitive information used by the application. This can improve the security of your application by making it difficult for an attacker to gain access to the sensitive information even if an attacker gains access to your Web.config file. ASP.NET includes two protected configuration providers that can be used to encrypt sections of a Web.config file: RsaProtectedConfigurationProvider, which uses the RSACryptoServiceProvider to encrypt configuration sections, and DpapiProtectedConfigurationProvider, which uses the Windows Data Protection API (DPAPI) to encrypt configuration sections.

In some cases, you might need to encrypt information using an algorithm other than those available with the RSA or DPAPI providers. In that case, you can build a custom protected configuration provider to be used by ASP.NET.

Required Classes for Protected Configuration Providers

To implement a protected configuration provider, you create a class that inherits the ProtectedConfigurationProvider abstract class from the System.Configuration namespace. The ProtectedConfigurationProvider abstract class inherits the ProviderBase abstract class from the System.Configuration.Provider namespace, so you must implement the required members of the ProviderBase class as well. The following tables list the properties and methods that you must implement from the ProviderBase and ProtectedConfigurationProvider abstract classes. To see an implementation of each member, see How to: Build and Run the Protected Configuration Provider Example.

Required ProviderBase Members

Member

Description

Initialize method

Sets property values for the provider instance, including implementation-specific values and options supplied in the application configuration.

Takes as input the name of the provider and a NameValueCollection of configuration settings.

Required ProtectedConfigurationProvider Members

Member

Description

Encrypt method

Performs the encryption. Takes as input an XmlNode object containing the configuration section to be encrypted. For example, if the configuration section to be encrypted is the connectionStrings section, the XmlNode object represents XML data similar to the following example.

<connectionStrings>
  <add name="SampleConnectionString" 
    connectionString="Data Source=localhost;Initial Catalog=Northwind;Integrated Security=SSPI;" />
</connectionStrings>

The Encrypt method encrypts the OuterXml value of the XmlNode object and returns an XmlNode object in which an EncryptedData element is the root element, as shown in the following example:

<EncryptedData>
  <!-- encrypted contents -->
</EncryptedData>

The format of the contents of the EncryptedData element is determined by your implementation. When the element is decrypted, ASP.NET will pass an XmlNode object to the Decrypt method, where the EncryptedData element is the root element.

Decrypt method

Performs the decryption. Takes as input an XmlNode object containing the EncryptedData element of an encrypted configuration section. For example, if the connectionStrings section is the configuration section that was encrypted, the XmlNode object represents XML data similar to highlighted XML in the following example.

<connectionStrings configProtectionProvider="CustomProvider">
  <EncryptedData> 
    <!-- encrypted contents --> 
  </EncryptedData>
</connectionStrings>

The Decrypt method decrypts the contents of the XmlNode object and returns an XmlNode object that represents the decrypted contents of the EncryptedData XmlNode object. For example, if the connectionStrings section was encrypted, the Decrypt method returns an XmlNode object with XML data similar to the following example.

<connectionStrings>
  <add name="SampleConnectionString" 
    connectionString="Data Source=localhost;Initial Catalog=Northwind;Integrated Security=SSPI;" />
</connectionStrings>

Sample Provider

For an example custom protected configuration provider that uses the TripleDESCryptoServiceProvider class to encrypt and decrypt sections of a Web.config file, see How to: Build and Run the Protected Configuration Provider Example.

See Also

Tasks

How to: Build and Run the Protected Configuration Provider Example

Other Resources

Encrypting Configuration Information Using Protected Configuration