Encrypt and Decrypt Web.Config

Ambily.raj
Posted by in ASP.NET category on for Beginner level | Points: 250 | Views : 66029 red flag
Rating: 5 out of 5  
 2 vote(s)

Security is one of the major aspects in terms of a web application. Security can be implemented using different methods in a web application. One of the main components, which required high security, is the configuration files, where we will define the configurations. In this document, we will discuss about the simple way to protect the web.config entries.


Security is one of the major aspects in terms of a web application. Security can be implemented using different methods in a web application. One of the main components, which required high security, is the configuration files, where we will define the configurations. In this document, we will discuss about the simple way to protect the web.config entries. 

Encrypt Web.Config Sections


We can encrypt the required sections using the Asp.Net built in utility aspnet_regiis.  For example, we want to encrypt the following appSettings defined in the default website


 <appSettings>

    <add key="test1" value="testing the encrypt" />

    <add key="sample" value="Sample for encrypt" />

  </appSettings>

 
Open the command prompt and run the command

 


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis  -pe "appSettings" 

<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">   <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

<KeyName>Rsa Key</KeyName> </KeyInfo>

<CipherData> <CipherValue>g7ROtz+5zGkEXsfxBW1o7RmcGvekuEtbvHGC+EWQiqD0fJypbg56JgbO+7hLMYh7uq5J5AcNEa9XAxnsX2f7V5QJZLDguv+bJhdBHs27QrS5P0MNU4bqUipx0MYwuS+zPTkBwpyTuTzCBTJPZkkfd/4N0IvK9+JgQP9EUK9PlAA=</CipherValue>

 

</CipherData> </EncryptedKey>

</KeyInfo>      <CipherData>

        <CipherValue>oSn8uYA9HUaii3ZcHET4oMATfVrFwpYpjipRgF9Uil+eSwno9r3HqNjS1VYwkEz8QFfhHnhSenwkKpIkuhv1hFvppX1CZtQyopVIDtsJgnzdP7uCk9xYt+7n6EX3OlgVuHCv8ckl7jpCAaTgtFLmScM6ey8N4SAkwK60e/Ou7zg4bqf0RnNYcghprdxuBR2z</CipherValue>

      </CipherData>    </EncryptedData>

  </appSettings>

Sometimes, we need to encrypt the sections of another website, which is not the default website, and then use the following options


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/" -site TestSite


This command specifies encrypt the appSettings section of the site TestSite. –app indicates the virtual directory under the site. For encrypting the web.config of the main web site use the virtual directory value as “/”.

In some cases, we may need to encrypt the web.config under a virtual directory or web application under our web site, then use the following command


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/MyApp" -site TestSite


Here, the command indicates encrypt the web.config of the TestSite and find the configuration under the MyApp web application configured under the website.

Instead of using the site name, we can use the metadata identifier or ID of the site, which can be obtained from the IIS Manager.


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/MyApp" -site 5


Decrypt Web.Config Sections

Same as encrypt, we can us ethe same utility to decrypt the section values for further updates. The decrypt command is


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pd "appSettings" -app "/MyApp" -site TestSite

Same as encrypt command, in decrypt also we can specify the application name, site name and section name.

Page copy protected against web site content infringement by Copyscape

About the Author

Ambily.raj
Full Name: Ambily KK
Member Level: Silver
Member Status: Member,Microsoft_MVP,MVP
Member Since: 5/18/2010 1:05:25 AM
Country: India
Thanks Ambily K K http://ambilykk.com/
http://ambilykk.com/
I have over 9 years of experience working on Microsoft Technologies. I am carrying the passion on Microsoft technologies specifically on web technologies such as ASP .Net and Ajax. My interests also include Office Open XML, Azure, Visual Studio 2010. Technology adoption and learning is my key strength and technology sharing is my passion.

Login to vote for this post.

Comments or Responses

Posted by: Ck.kislay on: 9/7/2011 | Points: 25
If I encrypt the web.config file then ASP.net engine automatically decrypt it when they access the config file.

Thanks,
Chandan
Posted by: Ambily.raj on: 9/7/2011 | Points: 25
Yes. ASP.Net engine will automatically decrypt and read the correct values from an encrypted config file.
When you want to modify some values or add a new entry to the section, use the decrypt command to decrypt the config section.

Regards
Ambily
Posted by: Seenuvasan on: 9/14/2011 | Points: 25
hi,

How to see the encrypted file?
Posted by: Arefin on: 11/28/2011 | Points: 25
Hi Seenuvasan,
You can see the encrypted part in Web.config file. Just follow the steps mentioned above.
Thanks Ambiliy for sharing.
Posted by: Mdjack on: 10/24/2012 | Points: 25
i deployed my files to the Dev server (Windows 7) and i export the site and import into another server, Now i decrypt the configuration file i got the following error.

Configuration Error 

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Bad Data.


Source Error:


Line 63: </system.webServer>
Line 64: <appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
Line 65: <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
Line 66: xmlns="http://www.w3.org/2001/04/xmlenc#">
Line 67: <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />



How can i solve this issue

Login to post response

Comment using Facebook(Author doesn't get notification)