Leveraging .Net 4.0 Framework Tools For Encrypting Web Configuration Sections
- by Sam Abraham
I would like to share a few points with regards to encrypting web configuration sections in .Net 4.0. This information is also applicable to .Net 3.5 and 2.0. Two methods can work perfectly for encrypting connection strings in a Web project configuration file:
 
1-Do It All Yourself!
In this approach, helper functions for encrypting/decrypting configuration file content are implemented. Program would explicitly retrieve appropriate content from configuration file then decrypt it appropriately.  Disadvantages of this implementation would be the added overhead for maintaining the encryption/decryption code as well the burden of always ensuring sections are appropriately decrypted before use and encrypted appropriately whenever edited.
 
2- Leverage the .Net 4.0 Framework (The Way to go!)
Fortunately, all needed tools for protecting configuration files are built-in to the .Net 2.0/3.5/4.0 versions with very little setup needed. To encrypt connection strings, one can use the ASP.Net IIS Registration Tool (Aspnet_regiis.exe). Note that a 64-bit version of the tool also exists under the Framework64 folder for 64-bit systems. The command we need to encrypt our web.config file connection strings is simply the following:
 
Aspnet_regiis –pe “connectionstrings” –app “/sampleApplication” –prov “RsaProtectedConfigurationProvider”
 
To later decrypt this configuration section:
 
Aspnet_regiis –pd “connectionstrings” –app “/SampleApplication”
 
The following is a brief description of the command line options used in the example above. Aspnet_regiis supports many more options which you can read about in the links provided for reference below.
 
    
        
            Option
            Description
        
        
            -pe
             Section name to encrypt
        
        
            -pd
             Section name to decrypt
        
        
            -app
             Web application name
        
        
            -prov
             Encryption/Decryption provider
        
    
 
ASP.Net automatically decrypts the content of the Web.Config file at runtime so no programming changes are needed.
 
Another tool, aspnet_setreg.exe is to be used if certain configuration file sections pertinent to the .Net runtime are to be encrypted. For more information on when and how to use aspnet_setreg, please refer to the references below.
 
Hope this helps!
 
Some great references concerning the topic:
 
http://msdn.microsoft.com/en-us/library/ff650037.aspx
http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx
http://msdn.microsoft.com/en-us/library/68ze1hb2.aspx