Encrypting configuration section
Encrypting configuration sections
Introduction
Developers often store confidential information in the configuration files.
Database connection strings, user names and passwords are some of the examples.
One of the requested feature during ASP.NET 1.x days was to provide some way to
easily encrypt and decrypt such information. Thankfully ASP.NET 2.0 fulfils this
request in a flexible way. This article will explain how a specific
configuration section can be protected using inbuilt tool and code.
How ASP.NET encrypts configuration files?
ASP.NET 2.0 allows you to encrypt sections of your configuration file so that
they are secure and protected. This feature is often called as Protected
Configuration. ASP.NET provides two ways to encrypt and decrypt the
configuration files:
- Via a command line tool called ASPNET_REGIIS.EXE
- Via configuration management classes
The encryption and decryption is done with the help of two built-in Protected
Configuration Provider :
- RsaProtectedConfigurationProvider
- DataProtectionConfigurationProvider
If you open machine.config on your machine you will find a section that
specifies these providers. The RsaProtectedConfigurationProvider is the
default one. Below is the relevant markup from machine.config file.
<configProtectedData
defaultProvider="RsaProtectedConfigurationProvider">
<providers>
<add name="RsaProtectedConfigurationProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
keyContainerName="NetFrameworkConfigurationKey"
cspProviderName="" useMachineContainer="true" useOAEP="false" />
<add name="DataProtectionConfigurationProvider"
type="System.Configuration.DpapiProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
description="Uses CryptProtectData and CryptUnProtectData
Windows APIs to encrypt and decrypt" useMachineProtection="true"
keyEntropy="" />
</providers>
</configProtectedData>
Encrypting a configuration section using ASPNET_REGIIS.EXE
Let's see how we can encrypt the <connectionStrings> section using
ASPNET_REGIIS.EXE tool.
Create a new IIS based web site in VS.NET called EncryptTest and add a
web.config file to it. Then add <connectionStrings> section as shown below:
<connectionStrings>
<add name="connstr" connectionString=
"data source=.\sqlexpress;initial catalog=
northwind;integrated security=true" />
</connectionStrings>
We simply add a connection string that points to Northwind database. Next,
drag and drop a GridView control on the default web form and add the following
code in the Page_Load event.
protected void Page_Load(object sender, EventArgs e)
{
string strConn = ConfigurationManager.
ConnectionStrings["connstr"].ConnectionString;
SqlDataAdapter da = new SqlDataAdapter
("select * from customers", strConn);
DataSet ds = new DataSet();
da.Fill(ds);
GridView1.DataSource = ds;
GridView1.DataBind();
}
We read the connection string from the <connectionStrings> section using
ConfigurationManager class. We use this manual method instead of using SQL Data
Source control deliberately just to prove that the inbuilt classes such as
ConfigurationManager automatically decrypt the encrypted version of the
connection string. We then populate a DataSet from all the records from
Customers table and bind it with the GridView.
Now, open Visual Studio 2005 Command Prompt and issue the following command:
aspnet_regiis -pe "connectionStrings" -app "/encrypttest"
The -pe switch specifies the section from the web.config file to encrypy (connectionStrings
in our case). The -app switch specifies the virtual path of the IIS application
we are working on.
After executing this command if you peek into the web.config file you should
see some thing like this:
<connectionStrings configProtectionProvider=
"RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>NW4gFUtlA3XkbKu42FQ3kYV8EKmwzy9r53vrI2rjV
ZFqjsr00/MwS6TWqjnsguN09kWvNIrbfWu5+Gi+DLFhYnGm2NcuaCy
Vic8f5e0Q8u3E7zk2MegZmiri5bSELE1fZneWz4oFb+MHqA94ZO3Be
XBlocou6ydtmJPXZCqLsDQ=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>T2fswq6Rt7g7VSNUnoe4kNFGSluWCBReQf3DRbXao/
sWaWs4mrJAI6Xy0zNDHY5pKXUUF9Kep2wG84rMVx0QtLIUjBaUKCnrm
Eb+53oYNPjN4Kf5zcPyWoaWwcus4LnJYNtg3oGJUvavZ0tjGXH9+5gB
w/xMrtfDcYAIom9l/IMcO92BKrvimjn/k4Mr8VXxGpvdMkAC3+e6dtW
JeUgQGpepO+RNpWymB5kWj38LjMQ=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
The tool has encrypted the connectionStrings section using
RsaProtectedConfigurationProvider (default) and stored the
encrypted markup back to the configuration file. You can also specify the
Protected Configuration Provider using -prov switch. Easy. Isn't it?
Now, run your web form. The web form should correctly display the Customers
table in the GridView indicating that ConfigurationManager class automatically
decrypts this information while reading the connection string.
Decrypting a configuration section ASPNET_REGIIS.EXE
What if you need to make some changes to the connection string during the
development? Don't worry! The ASPNET_REGIIS.EXE tool allows you to decrypt the
section also. Just issue the following command and get back your original
un-encrypted version back.
aspnet_regiis -pd "connectionStrings" -app "/encrypttest"
The onlt difference between this command and the one we used previously is
that we used -pd switch instead of -pa.
Encryption and decrypting via code
The task of encrypting and decrypting web.config can also be achieved via
code. Let's see how.
Add a new web form to the same web site and design it as shown below:

Add the following code in the Click event of "Encrypt Connection String"
button:
protected void Button1_Click(object sender, EventArgs e)
{
Configuration config = WebConfigurationManager.
OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.ConnectionStrings;
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection
("RsaProtectedConfigurationProvider");
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Modified);
}
}
If you are not familiar with how to edit web.config programmatically then you
may find this article useful :
Modifying Web.config file programmatically.
The code above is opening the web.config file for modification. It then
retrieves the ConnectionStrings section. The most important thing happens at the
line marked in bold. The ProtectSection() method accepts the Protected
Configuration Provider you want to use for encryption and then encrypts
the underlying section using that provider. The code finally saves the file back
to the disk.
Decrypting the configuration section works on similar lines as explained
below:
protected void Button2_Click(object sender, EventArgs e)
{
Configuration config = WebConfigurationManager.
OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.ConnectionStrings;
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Modified);
}
}
Here, we used UnprotectSection() method to revert back to the un-encrypted
version.
Summary
ASP.NET 2.0 makes it easy to secure your web.config files by allowing you to
encrypt them. The encryption and decryption can be done in two ways - using
ASPNET_REGIIS command line tool or programmatically.