How to Encrypt a Section in Web.Config?

It is often required to encrypt usernames, passwords or even connection string in the web.config file. The usual method to do is using any of the encryption algorithm and saving the encryption Key in the config file. .NET has provided with a classic feature of encrypting an entire section in the web.config file. Using this feature .NET saves the key in the Machine.key file. User ONLY needs to encrypt the section in the web.config file, the decryption of the section is taken care by the .NET framework. Here is a step by step procedure on encrypting a section:

Section in Web.config


<!-- User Credentials -->
<ImpersonateUser>
<add key ="domain" value ="domain_name"/>
<add key ="username" value ="user_name"/>
<add key ="password" value ="password"/>
</ImpersonateUser>

Step 1:
Open the Visual Studio Command Prompt in Administrative Mode
Go to Start –> Programs –> Visual Studio 2008 –> Visual Studio Tools –> Visual Studio Command Prompt right click and say “Run as Administrator

Step 2:
Type the following command:
aspnet_regiis -pef “ImpersonateUser” “D:\SourceCode\RootFolder” -prov “RsaProtectedConfigurationProvider
The web.config file should be present at the path “D:\SourceCode\RootFolder”. The actual command looks like:
aspnet_regiis -pef “SECTION_NAME” “PATH_TILL_WEB.CONFIG” -prov “ENCRYPTION_PROVIDER”

Step 3:
Run the above command.
The above command will encrypt the ImpersonateUser section in the web.config file and will save the web.config file at the given location. The encrypted section will look like:


<ImpersonateUser configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>nQGcFhli6gRmNXD1vjJG+fQw8nN80NwaXjKsVDsSbcoLqAmbKPDhZZvXw1E81uY6+3AhmUzp1SQSTavIVKjj8RvQI21LzaSSc8UUwo7Q7ZRHeBCpyQE+xRs9BlvsXjyn0oX/q5Ns4uoRU3OEkJlcYmFizrGG7YuHdvogh8+wFLE=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>YJODT4I4FKNuUqG3o3QEn8UGXS3jSeFjkVsE2r+jQuBy6fqh4Uc/psu49Rr0SgsDlx7RDm+yIzztRki7ETgNCaSwkkX0h3TXsnJv8jA+FuRmOqIXU8sfjF/5p1KNRkj8l1yzFueom2llRpjprclTvxlTVUQopOTXuodBV3dFnqnqTe/gu70GOqdNooNyWgn02hvG5GjL4mXdb8iMGDMJSrgin6E3nYMrkV71nMkPXi8+MeenWfRWQ1BH8BNblC9R</CipherValue>
</CipherData>
</EncryptedData>
</ImpersonateUser>

Most important thing is, while using the web.config key’s in the C# code we DO NOT have to decrypt the section. .NET automatically does it and provides us with the decrypted values.

Hope this helps. Your comments will help us improve 🙂

Advertisements

3 Responses to “How to Encrypt a Section in Web.Config?”

  1. James Says:

    I have followed the steps you have mentioned above. It works great on the developer’s environment, but throws an error in production. The error says – Unable to access RSA configuration.

    Can you please provide the solution?

  2. Sandeep Aparajit Says:

    It seems that your ASP.NET or the Network Service account does not have the required premission. Use the following command:
    aspnet_regiis -pa “NetFrameworkConfigurationKey” “ASPNET”
    aspnet_regiis -pa “NetFrameworkConfigurationKey” “NT Authority\Network Service”.

    Hope this helps you 🙂

  3. Offshore Software Development India Says:

    Hey Sandeep m having the permission. And its working well. Exactly what I needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: