ASP.NET Tip: Encrypting a Configuration File Section

Leaving passwords unencrypted in a configuration file is generally considered a bad idea. Although some level of access is required to get to the file, encrypting the passwords—especially database passwords—adds a layer of security. However, implementing this type of encryption has been a bit difficult until ASP.NET 2.0. Microsoft provided the Data Protection API prior to 2.0, but did not provide a .NET interface to these methods.

With ASP.NET 2.0, you now have the ability to encrypt portions of your configuration file by using the aspnet_regiis.exe utility, located in the \Windows\Framework\v2.0.50727 folder (assuming your Windows root is \Windows). Unfortunately, the Microsoft documentation makes using this command much harder than it really needs to be. By using this simple command, you can pick a section (such as connectionStrings, appSettings, and so forth) in your Web.config file to encrypt:

aspnet_regiis -pef appSettings C:\Inetpub\wwwroot\mysite

This encrypts the section of your configuration file. The -pdf option decrypts it:

aspnet_regiis -pdf appSettings C:\Inetpub\wwwroot\mysite

This will work with any of the built-in sections under the configuration node. You need to do the encryption and decryption on the same machine, unless you take some extra steps to create a shared key that can be used in a server farm, for instance. The Microsoft documentation provides more examples on the more complicated methods of using this code.

Although this is handy for built-in sections, my own testing showed that it does not work properly with custom configuration sections that you may have defined on your own. I'll continue to search for an answer and provide it in a future tip if I find it.

About the Author

Eric Smith is the owner of Northstar Computer Systems, a Web-hosting company based in Indianapolis, Indiana. He is also a MCT and MCSD who has been developing with .NET since 2001. In addition, he has written or contributed to 12 books covering .NET, ASP, and Visual Basic. Send him your questions and feedback via e-mail at questions@techniquescentral.com.



Comments

  • very importent

    Posted by mor_tsalah on 02/03/2009 03:15am

    [Edit] [Delete] i need some code in c# that find how is the user who working on the current computer (by ip address). another, i need to know how can i get the properties on object from the active directory. it`s very importent to me. thanks.

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception? Keeping data close to home, on premises, makes business and IT leaders feel inherently more secure. But the truth is, cloud solutions can offer companies real, tangible security advantages. Before you assume that on-site is the only way to keep data safe, it's worth taking a comprehensive approach to evaluating risks. Doing so can lead to big benefits.

  • Live Event Date: August 14, 2014 @ 2:00 p.m. ET / 11:00 a.m. PT Data protection has long been considered "overhead" by many organizations in the past, many chalking it up to an insurance policy or an extended warranty you may never use. The realities of today make data protection a must-have, as we live in a data driven society. The digital assets we create, share, and collaborate with others on must be managed and protected for many purposes. Check out this upcoming eSeminar and join eVault Chief Technology …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds