locked
web config encryption RRS feed

  • Question

  • User-541003552 posted

    Is is possible to encrypt the web config file after deployment and if possible how do i do dat

    Thursday, September 5, 2013 12:10 PM

Answers

  • User1564875471 posted

    People usually don't encrypt the whole file, they encrypt only the sensitive sections thta contains the user/passwords. Examples on these sections are "connectionStrings" and "Imporsenate" sections.

    Here is an example using the aspnet_regiis tool

    http://msdn.microsoft.com/library/dtkwfdky.aspx

    Of course, the tool need to be run on the server which hosts your app, so you need to have remote admin access to the server.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 5, 2013 5:34 PM
  • User368552557 posted

    Here are the commands to encrypt web.config file without any programming...

    For encryption

    aspnet_regiis -pef "Section" "Path exluding web.config"

    For Decryption

    aspnet_regiis -pdf "Section" "Path exluding web.config"




    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 5, 2013 9:12 PM
  • User-1635195291 posted

    Hi KeeEdwins,

    I believe there are two ways of doing this:

    using aspnet_regiis using DPAPI or RSA, or doing it programmatically.

    The programmatic way can be handy, particularly if you also like to encrypt app.config.

    From my experiences of using this, if you write a custom configuration section, you have install the DLL containing the classes for that section into the GAC. For a project I was working I basically scripted the following approach:

    • Copy config DLL to GAC.
    • Perform encryption.
    • Remove config DLL from GAC.

    Chances are if you are just encrypting connection strings then this won't be a problem. You also need to be bear in mind whether you want to encrypt on a machine wide basis or to a specific user account- both options can be useful depending on your scenario. For simplicity I stuck to machine wide encryption. The links I have provided explain the merits of both approaches.

    Source: Encrypting Web.Config

    Hope this helps.

    Thanks,

    Jatin

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 5, 2013 9:28 PM
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 6, 2013 7:59 AM
  • User-1454326058 posted

    Hi KeeEdwins,

    Thanks for your post!

    Based on my test. we will get that error if we run it without administrator permissions. So I suggest that you can run your VS as administrator.

    I also tried to publish that project and it works fine.

    Thanks

    Best Regards

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, September 9, 2013 1:50 AM

All replies

  • User1564875471 posted

    People usually don't encrypt the whole file, they encrypt only the sensitive sections thta contains the user/passwords. Examples on these sections are "connectionStrings" and "Imporsenate" sections.

    Here is an example using the aspnet_regiis tool

    http://msdn.microsoft.com/library/dtkwfdky.aspx

    Of course, the tool need to be run on the server which hosts your app, so you need to have remote admin access to the server.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 5, 2013 5:34 PM
  • User368552557 posted

    Here are the commands to encrypt web.config file without any programming...

    For encryption

    aspnet_regiis -pef "Section" "Path exluding web.config"

    For Decryption

    aspnet_regiis -pdf "Section" "Path exluding web.config"




    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 5, 2013 9:12 PM
  • User-1635195291 posted

    Hi KeeEdwins,

    I believe there are two ways of doing this:

    using aspnet_regiis using DPAPI or RSA, or doing it programmatically.

    The programmatic way can be handy, particularly if you also like to encrypt app.config.

    From my experiences of using this, if you write a custom configuration section, you have install the DLL containing the classes for that section into the GAC. For a project I was working I basically scripted the following approach:

    • Copy config DLL to GAC.
    • Perform encryption.
    • Remove config DLL from GAC.

    Chances are if you are just encrypting connection strings then this won't be a problem. You also need to be bear in mind whether you want to encrypt on a machine wide basis or to a specific user account- both options can be useful depending on your scenario. For simplicity I stuck to machine wide encryption. The links I have provided explain the merits of both approaches.

    Source: Encrypting Web.Config

    Hope this helps.

    Thanks,

    Jatin

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 5, 2013 9:28 PM
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 6, 2013 7:59 AM
  • User-541003552 posted

    hi trying to use the code behind method but this is the error i get

    System.Security.Cryptography.CryptographicException: Object already exists.

    How can i fix it.

    This is the code below

      protected void BtnEncrypt_Click(object sender, EventArgs e)
        {
            Configuration confg = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
            ConfigurationSection configSect = confg.GetSection(section);
            if (configSect != null)
            {
                configSect.SectionInformation.ProtectSection(provider);
                confg.Save();
            }
        }
        protected void BtnDecrypt_Click(object sender, EventArgs e)
        {
            Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
            ConfigurationSection configSect = config.GetSection(section);
            if (configSect.SectionInformation.IsProtected)
            {
                configSect.SectionInformation.UnprotectSection();
                config.Save();
            }
        }




    Friday, September 6, 2013 11:42 AM
  • User-1426144113 posted

    Hi,

    Which line of code that you get that error?

    Thanks

    Saturday, September 7, 2013 10:43 AM
  • User-1454326058 posted

    Hi KeeEdwins,

    Thanks for your post!

    Based on my test. we will get that error if we run it without administrator permissions. So I suggest that you can run your VS as administrator.

    I also tried to publish that project and it works fine.

    Thanks

    Best Regards

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, September 9, 2013 1:50 AM