Now comes the security issues. At times there comes the necessity for protecting sections of config file. In .NET 2.0 there are options available to encrypt sections of Web.config file programatically. The following method encrypts the "appSettings" section in Web.config file.

private void EncryptAppSettings()  
{
	Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
	AppSettingsSection objAppsettings = (AppSettingsSection)objConfig.GetSection("appSettings");
	if (!objAppsettings.SectionInformation.IsProtected)
	{
		objAppsettings.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
		objAppsettings.SectionInformation.ForceSave = true;
		objConfig.Save(ConfigurationSaveMode.Modified);
	}
}

The code above opens Web.Config file for modification. It then retrieves the "appSettings" section. The ProtectSection() method of SectionInformation class marks the configuration section for protection. It accepts the name of the protection provider to be used for the encryption. The ForceSave property indicates if the specified configuration section will be saved even if it has not been modified. Finally the Save() of the Configuration object writes the configuration settings to the Web.config file. The argument to the Save() method indicates the only properties modified need to be written to the physical file.

Decrypting sections of web.config file through code is very identical. The UnprotectSection() method of SectionInformation class removes the encryption from the configuration section.

private void DecryptAppSettings()
{
	Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
	AppSettingsSection objAppsettings = (AppSettingsSection)objConfig.GetSection("appSettings");
	if (objAppsettings.SectionInformation.IsProtected)
	{
		objAppsettings.SectionInformation.UnprotectSection();
		objAppsettings.SectionInformation.ForceSave = true;
		objConfig.Save(ConfigurationSaveMode.Modified);
	}
}

This encrytion and decryption functionality can be applied to other sections of web.config file also. It comes in use mostly for "connectionStrings" section where usually the user name and password would be specified. This can done by creating a ConfigurationSection object. An example for "connectionStrings" section is listed below.

ConfigurationSection objConfigSection = objConfig.ConnectionStrings;

ConfigurationSection class represents a section within the configuration file. Configuration class has propertes for each configuration section. This property can be used to get respective ConfigurationSection objects. This is an alternative to the usage of GetSection() method of Configuration class.