Encrypting Web.config sections in ASP.NET 2.0

If you suffer from deep paranoia like me, you'll find a little disturbing to declare all your connection strings in the new <connectionsStrings> section of your web application's Web.config file. This is how it looks like before encrypting:

  <add name="Pubs" connectionString="Server=localhost;Integrated Security=True;Database=Pubs"
    providerName="System.Data.SqlClient" />
  <add name="Northwind" connectionString="Server=localhost;Integrated Security=True;Database=Northwind"
    providerName="System.Data.SqlClient" />

Behold ASP.NET 2.0 new security features. Now you can actually encrypt any section of your Web.config file on-the-fly and programatically. If you have full access to your Web server, you can encrypt your connection strings with this single command-line located in the in the %windows%\Microsoft.NET\Framework\versionNumber folder:

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"

If you can't execute commands in your web server, for example, when using shared hosting, you still can encrypt it programatically:

Configuration config = Configuration.GetWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.Sections["connectionStrings"];
section.ProtectSection ("DataProtectionConfigurationProvider");

Now, the section in your Web.config file will look like this:


I hope you found this article useful. Happy coding!

You might also like...


Xavier Larrea


Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“Debugging is anticipated with distaste, performed with reluctance, and bragged about forever.” - Dan Kaminsky