ASP.NET Tip: Encrypting a Configuration File Section | CodeGuru
C#
SHARE
Facebook X Pinterest WhatsApp

ASP.NET Tip: Encrypting a Configuration File Section

Leaving passwords unencrypted in a configuration file is generally considered a bad idea. Although some level of access is required to get to the file, encrypting the passwords—especially database passwords—adds a layer of security. However, implementing this type of encryption has been a bit difficult until ASP.NET 2.0. Microsoft provided the Data Protection API prior […]

Written By
CodeGuru Staff
CodeGuru Staff
Jan 29, 2007
2 minute read
CodeGuru content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Leaving passwords unencrypted in a configuration file is generally considered a bad idea. Although some level of access is required to get to the file, encrypting the passwords—especially database passwords—adds a layer of security. However, implementing this type of encryption has been a bit difficult until ASP.NET 2.0. Microsoft provided the Data Protection API prior to 2.0, but did not provide a .NET interface to these methods.

With ASP.NET 2.0, you now have the ability to encrypt portions of your configuration file by using the aspnet_regiis.exe utility, located in the WindowsFrameworkv2.0.50727 folder (assuming your Windows root is Windows). Unfortunately, the Microsoft documentation makes using this command much harder than it really needs to be. By using this simple command, you can pick a section (such as connectionStrings, appSettings, and so forth) in your Web.config file to encrypt:

aspnet_regiis -pef appSettings C:Inetpubwwwrootmysite

This encrypts the section of your configuration file. The -pdf option decrypts it:

aspnet_regiis -pdf appSettings C:Inetpubwwwrootmysite

This will work with any of the built-in sections under the configuration node. You need to do the encryption and decryption on the same machine, unless you take some extra steps to create a shared key that can be used in a server farm, for instance. The Microsoft documentation provides more examples on the more complicated methods of using this code.

Although this is handy for built-in sections, my own testing showed that it does not work properly with custom configuration sections that you may have defined on your own. I’ll continue to search for an answer and provide it in a future tip if I find it.

About the Author

Eric Smith is the owner of Northstar Computer Systems, a Web-hosting company based in Indianapolis, Indiana. He is also a MCT and MCSD who has been developing with .NET since 2001. In addition, he has written or contributed to 12 books covering .NET, ASP, and Visual Basic. Send him your questions and feedback via e-mail at questions@techniquescentral.com.
CodeGuru Staff
CodeGuru Logo

CodeGuru covers topics related to Microsoft-related software development, mobile development, database management, and web application programming. In addition to tutorials and how-tos that teach programmers how to code in Microsoft-related languages and frameworks like C# and .Net, we also publish articles on software development tools, the latest in developer news, and advice for project managers. Cloud services such as Microsoft Azure and database options including SQL Server and MSSQL are also frequently covered.

facebook
linkedin
x

Company

Contact us Advertise with us

Categories

News C++ C# .NET Visual Basic Java Database Azure IoT Mobile Research Tools Blog

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information