Encrypting configuration section

Encrypting configuration sections


Developers often store confidential information in the configuration files. Database connection strings, user names and passwords are some of the examples. One of the requested feature during ASP.NET 1.x days was to provide some way to easily encrypt and decrypt such information. Thankfully ASP.NET 2.0 fulfils this request in a flexible way. This article will explain how a specific configuration section can be protected using inbuilt tool and code.

How ASP.NET encrypts configuration files?

ASP.NET 2.0 allows you to encrypt sections of your configuration file so that they are secure and protected. This feature is often called as Protected Configuration. ASP.NET provides two ways to encrypt and decrypt the configuration files:

  • Via a command line tool called ASPNET_REGIIS.EXE
  • Via configuration management classes

The encryption and decryption is done with the help of two built-in Protected Configuration Provider :

  • RsaProtectedConfigurationProvider
  • DataProtectionConfigurationProvider

If you open machine.config on your machine you will find a section that specifies these providers. The RsaProtectedConfigurationProvider is the default one. Below is the relevant markup from machine.config file.

<add name="RsaProtectedConfigurationProvider" 
System.Configuration, Version=, Culture=neutral, 
description="Uses RsaCryptoServiceProvider to encrypt and decrypt" 
cspProviderName="" useMachineContainer="true" useOAEP="false" />
<add name="DataProtectionConfigurationProvider" 
System.Configuration, Version=, Culture=neutral, 
description="Uses CryptProtectData and CryptUnProtectData 
Windows APIs to encrypt and decrypt" useMachineProtection="true" 
keyEntropy="" />

Encrypting a configuration section using ASPNET_REGIIS.EXE

Let's see how we can encrypt the <connectionStrings> section using ASPNET_REGIIS.EXE tool.

Create a new IIS based web site in VS.NET called EncryptTest and add a web.config file to it. Then add <connectionStrings> section as shown below:

<add name="connstr" connectionString=
"data source=.\sqlexpress;initial catalog=
northwind;integrated security=true" />

We simply add a connection string that points to Northwind database. Next, drag and drop a GridView control on the default web form and add the following code in the Page_Load event.

protected void Page_Load(object sender, EventArgs e)
string strConn = ConfigurationManager.
SqlDataAdapter da = new SqlDataAdapter
("select * from customers", strConn);
DataSet ds = new DataSet();
GridView1.DataSource = ds;

We read the connection string from the <connectionStrings> section using ConfigurationManager class. We use this manual method instead of using SQL Data Source control deliberately just to prove that the inbuilt classes such as ConfigurationManager automatically decrypt the encrypted version of the connection string. We then populate a DataSet from all the records from Customers table and bind it with the GridView.

Now, open Visual Studio 2005 Command Prompt and issue the following command:

aspnet_regiis -pe "connectionStrings" -app "/encrypttest"

The -pe switch specifies the section from the web.config file to encrypy (connectionStrings in our case). The -app switch specifies the virtual path of the IIS application we are working on.

After executing this command if you peek into the web.config file you should see some thing like this:

<connectionStrings configProtectionProvider=
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>

The tool has encrypted the connectionStrings section using RsaProtectedConfigurationProvider (default) and stored the encrypted markup back to the configuration file. You can also specify the Protected Configuration Provider using -prov switch. Easy. Isn't it?

Now, run your web form. The web form should correctly display the Customers table in the GridView indicating that ConfigurationManager class automatically decrypts this information while reading the connection string.

Decrypting a configuration section ASPNET_REGIIS.EXE

What if you need to make some changes to the connection string during the development? Don't worry! The ASPNET_REGIIS.EXE tool allows you to decrypt the section also. Just issue the following command and get back your original un-encrypted version back.

aspnet_regiis -pd "connectionStrings" -app "/encrypttest"

The onlt difference between this command and the one we used previously is that we used -pd switch instead of -pa.

Encryption and decrypting via code

The task of encrypting and decrypting web.config can also be achieved via code. Let's see how.

Add a new web form to the same web site and design it as shown below:

Add the following code in the Click event of "Encrypt Connection String" button:

protected void Button1_Click(object sender, EventArgs e)
Configuration config = WebConfigurationManager.
ConfigurationSection section = config.ConnectionStrings;
if (!section.SectionInformation.IsProtected)
section.SectionInformation.ForceSave = true;

If you are not familiar with how to edit web.config programmatically then you may find this article useful : Modifying Web.config file programmatically.

The code above is opening the web.config file for modification. It then retrieves the ConnectionStrings section. The most important thing happens at the line marked in bold. The ProtectSection() method accepts the Protected Configuration Provider you want  to use for encryption and then encrypts the underlying section using that provider. The code finally saves the file back to the disk.

Decrypting the configuration section works on similar lines as explained below:

protected void Button2_Click(object sender, EventArgs e)
Configuration config = WebConfigurationManager.
ConfigurationSection section = config.ConnectionStrings;
if (section.SectionInformation.IsProtected)
section.SectionInformation.ForceSave = true;

Here, we used UnprotectSection() method to revert back to the un-encrypted version.


ASP.NET 2.0 makes it easy to secure your web.config files by allowing you to encrypt them. The encryption and decryption can be done in two ways - using ASPNET_REGIIS command line tool or programmatically.

Bipin Joshi is an independent software consultant and trainer by profession specializing in Microsoft web development technologies. Having embraced the Yoga way of life he is also a meditation teacher and spiritual guide to his students. He is a prolific author and writes regularly about software development and yoga on his websites. He is programming, meditating, writing, and teaching for over 27 years. To know more about his ASP.NET online courses go here. More details about his Kriya and Meditation online course are available here.

Posted On : 19 May 2006

Tags : ASP.NET Security Configuration