Encrypting and Decrypting Configuration Sections
Recently I got chance to work with security audit team for my web application, and one suggestion I got from them is to encrypt connection strings section in web.config. I thought it involves lot of coding changes, and I was not aware of ASP.Net utility which will help to encrypt and decrypt the connection strings or appsettings sections of the web application. There is no extra coding required to use this feature. You can encrypt /decrypt the connection strings / appsettings using the ASPNET_REGIIS utility. You can find this utility in your Framework folder, normally in C:\Windows\Microsoft.NET\Framework\[Version]. Or you can invoke this from Visual Studio Command Prompt.
Encrypt the connection string
aspnet_regiis -pe ConnectionString –app "/docs"
where –pe is the parameter used to encrypt the section. Connection string is the section, if you want to encrypt AppSettings, use appsettings instead of Connectionstrings. And the –app parameter is used to specify the application (it must be virtual path and need to start with “/”), if –app parameter is not specified it will encrypt the Root web.config. If the application is in File System, you need to specify –pef and Physical location as the parameter.
aspnet_regiis -pef ConnectionString –app "D:\MyWebApp"
Decrypt the connection string
It is almost same as Encryption, only difference is instead of –pe use –pd. And in the case of –pef use –pdf.
aspnet_regiis -pd ConnectionString –app "/docs"
and
aspnet_regiis -pdf ConnectionString –app "D:\MyWebApp"
You can also specify the Provider for Encryption too. Use –prov parameter for providing custom provider (You can create your own provider, for this you need to inherit from ProtectedConfigurationProvider class). By default it will be RsaProtectedConfigurationProvider.
Screenshots – Before and After encrypting the app settings.
Before Encryption
After Encryption
