Security is one of the major aspects in terms of a web application. Security can be implemented using different methods in a web application. One of the main components, which required high security, is the configuration files, where we will define the configurations. In this document, we will discuss about the simple way to protect the web.config entries.
Security is one of the major aspects in terms of a web
application. Security can be implemented using different methods in a web
application. One of the main components, which required high security, is the
configuration files, where we will define the configurations. In this document,
we will discuss about the simple way to protect the web.config entries.
Encrypt Web.Config Sections
We can encrypt the required sections using the Asp.Net built
in utility aspnet_regiis. For example,
we want to encrypt the following appSettings defined in the default website
<appSettings>
<add key="test1" value="testing the encrypt" />
<add key="sample" value="Sample for encrypt" />
</appSettings>
Open the command prompt and run the command
%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings"
<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>g7ROtz+5zGkEXsfxBW1o7RmcGvekuEtbvHGC+EWQiqD0fJypbg56JgbO+7hLMYh7uq5J5AcNEa9XAxnsX2f7V5QJZLDguv+bJhdBHs27QrS5P0MNU4bqUipx0MYwuS+zPTkBwpyTuTzCBTJPZkkfd/4N0IvK9+JgQP9EUK9PlAA=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>oSn8uYA9HUaii3ZcHET4oMATfVrFwpYpjipRgF9Uil+eSwno9r3HqNjS1VYwkEz8QFfhHnhSenwkKpIkuhv1hFvppX1CZtQyopVIDtsJgnzdP7uCk9xYt+7n6EX3OlgVuHCv8ckl7jpCAaTgtFLmScM6ey8N4SAkwK60e/Ou7zg4bqf0RnNYcghprdxuBR2z</CipherValue>
</CipherData>
</EncryptedData>
</appSettings>
Sometimes, we need to encrypt the sections of another
website, which is not the default website, and then use the following options
%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/" -site TestSite
This command specifies encrypt the appSettings section of
the site TestSite. –app indicates the virtual directory under the site. For
encrypting the web.config of the main web site use the virtual directory value
as “/”.
In some cases, we may need to encrypt the web.config under a
virtual directory or web application under our web site, then use the following
command
%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/MyApp" -site TestSite
Here, the command indicates encrypt the web.config of the
TestSite and find the configuration under the MyApp web application configured
under the website.
Instead of using the site name, we can use the metadata
identifier or ID of the site, which can be obtained from the IIS Manager.
%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/MyApp" -site 5
Decrypt Web.Config Sections
Same as encrypt, we can us ethe same utility to decrypt the
section values for further updates. The decrypt command is
%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pd "appSettings" -app "/MyApp"
-site TestSite
Same as encrypt command, in decrypt also we can specify the
application name, site name and section name.