Encrypt Configuration Sections

Encrypt Configuration Sections using Aspnet_regiis.exe

 

Configuration usually contain a lot of sensitive information.

Encryption can be done using DPAPI and RSA.

The sections that usually contain sensitive information that you need to encrypt are the following:

·         <appSettings>. This section contains custom application settings.

·         <connectionStrings>. This section contains connection strings.

·         <identity>. This section can contain impersonation credentials.

·         <sessionState>. The section contains the connection string for the out-of-process session state provider.

 

Perform the following steps:

Step 1. Identify the configuration sections to be encrypted.
Step 2. Choose the machine or user store. (DPAPI modes)
Step 3. Encrypt your configuration file data.

 

 

To keep this overhead to a minimum, encrypt only the sections of your configuration file that store sensitive data.

Sections You Cannot Encrypt Using Protected Configurationwith  Aspnet_regiis.exe tool

·         <processModel>

·         <runtime>

·         <mscorlib>

·         <startup>

·         <system.runtime.remoting>

·         <configProtectedData>

·         <satelliteassemblies>

·         <cryptographySettings>

·         <cryptoNameMapping>

·         <cryptoClasses>

Aspnet_regiis.exe uses ProtectionConfigurationProvider to encrypt.

 

There are two providers:

RSAProtectedConfigurationProvider

DataProtectionConfigurationProvider

 

To encrypt the connectionStrings section, of the MachineDPAPI virtual directory run the following command from a .NET command prompt:

aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"

OR

aspnet_regiis.exe -pef "connectionStrings" C:\Projects\MachineDPAPI

By default, the DataProtectionConfigurationProvider is configured to use DPAPI with the machine store.

The -pe switch specifies the configuration section to encrypt.

The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.

The -app switch specifies your Web application's virtual path. If it is a nested application, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".

The -prov switch specifies the provider name.

If the command is successful, you will see the following output:

Encrypting configuration section...

Succeeded!

To change the connectionStrings section back to clear text, run the following command from the command prompt:

aspnet_regiis -pd "connectionStrings" -app "/MachineDPAPI"

OR

aspnet_regiis -pdf "connectionStrings" C:\Projects\MachineDPAPI


Using DPAPI with a User Store to Encrypt a Connection String in Web.Config

Add and configure a protected configuration provider to use the user store. To do this, add the following <configProtectedData> section. You must set useMachineProtection= "false" to instruct the provider to use the user store. You must also use a unique provider name, or a run-time error will occur.

<configProtectedData>

  <providers>

    <add useMachineProtection="false" keyEntropy="" name="MyUserDataProtectionConfigurationProvider"

type="System.Configuration.DpapiProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral,

PublicKeyToken=b03f5f7f11d50a3a" />

  </providers>

</configProtectedData>

 

Run the following command from a command prompt to encrypt the connectionStrings section:

Aspnet_regiis -pe "connectionStrings" -app "/UserDPAPI" -prov "MyUserDataProtectionConfigurationProvider"

The -pe switch specifies the configuration section to encrypt.

The -app switch specifies your Web application's virtual path. If it is a nested application, you need to specify the nested path from the root directory; for example: "/test/aspnet/UserDPAPI".

The -prov switch specifies the provider name. In this case, this is set to "MyUserDataProtectionConfigurationProvider"

 

To change the connectionStrings section back to clear text, run the following command from the command prompt:

aspnet_regiis -pd "connectionStrings" -app "/UserDPAPI"

 

 

 

 

PrintTell a friend
Web Building