Library code snippets

Encrypting Web.config sections in ASP.NET 2.0

By Xavier Larrea, published on 21 Jan 2006

If you suffer from deep paranoia like me, you'll find a little disturbing to declare all your connection strings in the new <connectionsStrings> section of your web application's Web.config file. This is how it looks like before encrypting:

<connectionStrings>
  <add name="Pubs" connectionString="Server=localhost;Integrated Security=True;Database=Pubs"
    providerName="System.Data.SqlClient" />
  <add name="Northwind" connectionString="Server=localhost;Integrated Security=True;Database=Northwind"
    providerName="System.Data.SqlClient" />
</connectionStrings>

Behold ASP.NET 2.0 new security features. Now you can actually encrypt any section of your Web.config file on-the-fly and programatically. If you have full access to your Web server, you can encrypt your connection strings with this single command-line located in the in the %windows%\Microsoft.NET\Framework\versionNumber folder: 

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"

If you can't execute commands in your web server, for example, when using shared hosting, you still can encrypt it programatically:

Configuration config = Configuration.GetWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.Sections["connectionStrings"]; 
section.ProtectSection ("DataProtectionConfigurationProvider"); 
config.Update();

Now, the section in your Web.config file will look like this:

<connectionStrings>
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMndjHoAw...</CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

I hope you found this article useful. Happy coding!

Comments

  1. Kofi Sarfo
    14 Sep 2009 at 18:16

    The error I get using C# 3.0 - System.Configuration.Configuration does not contain a definition for 'GetWebConfiguration'

    Fix - System.Configuration.Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

            ConnectionStringsSection connectionStringSection = (ConnectionStringsSection)objConfig.GetSection("connectionStrings");

        if (connectionStringSection.SectionInformation.IsProtected)
            return;

        connectionStringSection.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
        connectionStringSection.SectionInformation.ForceSave = true;

        objConfig.Save(ConfigurationSaveMode.Modified);
  2. Andrew Derry
    12 Oct 2006 at 20:52

    I noticed you found your own answer - and if anyone else comes here looking for the answer, they can see your solution at:

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=218559&SiteID=1

    (which is basically to go to the properties of the folder, select the Web Sharing tab, and select "Share this folder")

    Thanks! :)

  3. Bob Tournoux
    27 Jan 2006 at 02:45
    I have tried this on 3 of my websites and it works on 2 of them but I cannot figure out why it won't work on the 3rd one.  I did it using the aspnet_regiis command line.  I keep getting an error saying that reads as follows:

    Encrypting Configuration section...
    A configuration file cannot be created for the requested Configuration object.
    Failed!

    I have multiple websites on my webserver. I have one under the wwwroot which I encrypted using an app path in the -app parameter that was simply:

    aspnet_regiis -pe "connectionStrings" -app "/"

    I have another which happens to be subweb. I did it like:

    aspnet_regiis -pe "connectionStrings" -app "/main/subweb"

    This one also worked.

    Then I tried it with one of my other ones which was not a subweb, I'll call it app2

    aspnet_regiis -pe "connectionStrings" -app "/app2"

    Now the way these webs are physically on the disc, the first one is under the inetpub/wwwroot and all of the rest are webs that are under a directory which I've named c:/myWebs.  So the actual physical sites are as follows:

    c:/myWebs/main/subweb

    c:/myWebs/app2

    The documentation that I can find says that the -app refers to the virtual directory so I am wondering if I am putting in the correct parameter for the -app keyword. Actually the name is pretty long - 23 characters, so maybe that could be a problem too.

    Anyway, I was thinking of doing this programatically, but then I wondered how would that actually work? Would I create a special page that only I could access that would have an encrypt and decrypt button? Otherwise, what would prevent a casual hacker from going in and encrypting it? or decrypting it? I think I'm missing part of the equation -- perhaps you can enlighten me...

    Thanks,

  4. Developer Fusion Bot
    01 Jan 1999 at 00:00

    This thread is for discussions of Encrypting Web.config sections in ASP.NET 2.0.

Leave a comment

Sign in or Join us (it's free).

Related tags

asp.net
Xavier Larrea
AddThis

Related articles

Ask a question

Related discussion

Related podcasts

Languages

Web Development

Frameworks & Architecture

Other major sections

Cancel
Want to stay in touch with what's going on? Follow us on twitter!