Library code snippets

Encrypting Web.config sections in ASP.NET 2.0

By Xavier Larrea, published on 21 Jan 2006
Xavier Larrea

If you suffer from deep paranoia like me, you'll find a little disturbing to declare all your connection strings in the new <connectionsStrings> section of your web application's Web.config file. This is how it looks like before encrypting:

<connectionStrings>
  <add name="Pubs" connectionString="Server=localhost;Integrated Security=True;Database=Pubs"
    providerName="System.Data.SqlClient" />
  <add name="Northwind" connectionString="Server=localhost;Integrated Security=True;Database=Northwind"
    providerName="System.Data.SqlClient" />
</connectionStrings>

Behold ASP.NET 2.0 new security features. Now you can actually encrypt any section of your Web.config file on-the-fly and programatically. If you have full access to your Web server, you can encrypt your connection strings with this single command-line located in the in the %windows%\Microsoft.NET\Framework\versionNumber folder: 

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"

If you can't execute commands in your web server, for example, when using shared hosting, you still can encrypt it programatically:

Configuration config = Configuration.GetWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.Sections["connectionStrings"]; 
section.ProtectSection ("DataProtectionConfigurationProvider"); 
config.Update();

Now, the section in your Web.config file will look like this:

<connectionStrings>
  <EncryptedData>
    <CipherData>
      <CipherValue>AQAAANCMndjHoAw...</CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

I hope you found this article useful. Happy coding!

Related tags

asp.net

Comments

  1. Andrew Derry
    12 Oct 2006 at 20:52

    I noticed you found your own answer - and if anyone else comes here looking for the answer, they can see your solution at:

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=218559&SiteID=1

    (which is basically to go to the properties of the folder, select the Web Sharing tab, and select "Share this folder")

    Thanks! :)

  2. Bob Tournoux
    27 Jan 2006 at 02:45

    I have tried this on 3 of my websites and it works on 2 of them but I cannot figure out why it won't work on the 3rd one.  I did it using the aspnet_regiis command line.  I keep getting an error saying that reads as follows:


    Encrypting Configuration section...
    A configuration file cannot be created for the requested Configuration object.
    Failed!


    I have multiple websites on my webserver. I have one under the wwwroot which I encrypted using an app path in the -app parameter that was simply:


    aspnet_regiis -pe "connectionStrings" -app "/"


    I have another which happens to be subweb. I did it like:


    aspnet_regiis -pe "connectionStrings" -app "/main/subweb"


    This one also worked.


    Then I tried it with one of my other ones which was not a subweb, I'll call it app2


    aspnet_regiis -pe "connectionStrings" -app "/app2"


    Now the way these webs are physically on the disc, the first one is under the inetpub/wwwroot and all of the rest are webs that are under a directory which I've named c:/myWebs.  So the actual physical sites are as follows:


    c:/myWebs/main/subweb


    c:/myWebs/app2


    The documentation that I can find says that the -app refers to the virtual directory so I am wondering if I am putting in the correct parameter for the -app keyword. Actually the name is pretty long - 23 characters, so maybe that could be a problem too.


    Anyway, I was thinking of doing this programatically, but then I wondered how would that actually work? Would I create a special page that only I could access that would have an encrypt and decrypt button? Otherwise, what would prevent a casual hacker from going in and encrypting it? or decrypting it? I think I'm missing part of the equation -- perhaps you can enlighten me...


    Thanks,


  3. Developer Fusion Bot
    01 Jan 1999 at 00:00

    This thread is for discussions of Encrypting Web.config sections in ASP.NET 2.0.

Leave a comment

Sign in or Join us (it's free).

AddThis

Related articles

Ask a question

Related discussion

Related podcasts

  • CodeCast Episode 4: State of .NET, IE8, ASP.NET MVC, and O'Reilly Media

    CodeCast Episode 4: State of .NET, IE8, ASP.NET MVC, and O'Reilly MediaHosts Ken Levy and Markus Egger discuss the new State of .NET events, IE8, ASP.NET MVC, followed by an interview from PDC with two editors from O'Reilly Media. More on ASP.NET MVC can be found at http://asp.net/mvc. Interview...

Related jobs

Events coming up

  • Dec 9

    Internet Information Services 7.0 for ASP.Net Developers

    Glasgow, United Kingdom

    One of the biggest and best new features of Windows Server 2008 and Windows Vista is Internet Information Server 7.0.  IIS 7.0 is the latest and most significant release of Microsoft's Web Server. With this release comes a new extensibility model which gives developers more options than ever before, more diagnostic tools with which developers can debug and locate issues. During the session Andrew will investigate the new architecture, look at extending, configuring and developing for IIS7, ta...

Languages

Web Development

Frameworks & Architecture

Other major sections