Encrypting Sections of Your Web.config in ASP.NET 2

by Nate on April 11, 2007

There’s lots of guidance available on the web for encrypting configuration sections of your ASP.NET 2 application’s web.config, but here’s a quick reference:

You can store your key in either a machine store or a user store. If your application runs on a dedicated server or if you want to share the sensitive information between multiple applications, use the machine store. If your application runs in a shared hosting environment or you want to make sure that no other applications are able to access the sensitive information, use a user store. Note, however, that more complexity is introduced when using a user store. For more information, see “How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI”, available here: http://msdn2.microsoft.com/en-us/library/ms998280.aspx.

Note that some sections cannot be encrypted using ASP.NET 2′s encryption mechanism:

They can, however, be encrypted using the method that was around for ASP.NET 1.0 and 1.1 (and is still around for ASP.NET 2). More information is available in Microsoft Knowledge Base article 329250, available here: http://support.microsoft.com/kb/329290.

To encrypt a connectionStrings section using the machine store:

aspnet_regiis -pe “connectionStrings” -app “/YourApplication” -prov “DataProtectionConfigurationProvider”

To encrypt a connectionStrings section using the user store:

aspnet_regiis -pe “connectionStrings” -app “/YourApplication” -prov “MyUserDataProtectionConfigurationProvider”

In these example, aspnet_regiis.exe is located at %System%\WINDOWS\Microsoft.NET\Framework\. The -pe switch assumes that you’re using IIS and that YourApplication is the name of a Virtual Directory on your server. If you’re using Visual Studio 2005′s development web server, you can use the -pef switch to specify the physical directory location of your web.config.

To decrypt a connectionStrings section using the machine store or the user store:

aspnet_regiis -pd “connectionStrings” -app “/YourApplication”

Again, the -pd switch assumes that you’re using IIS and that YourApplication is the name of a Virtual Directory on your server. If you’re using Visual Studio 2005′s development web server, you can use the -pdf switch to specify the physical directory location of your web.config.

Leave a Comment

Previous post:

Next post: