Geeks With Blogs

News Opinions and articles on this blog are mine alone and do not represent my employer. All articles and blog entries are posted using a personal computer system outside of my employer network.
Sam Abraham Software Engineer/Architect: Putting Customers First
I would like to share a few points with regards to encrypting web configuration sections in .Net 4.0. This information is also applicable to .Net 3.5 and 2.0. Two methods can work perfectly for encrypting connection strings in a Web project configuration file:
1-Do It All Yourself!
In this approach, helper functions for encrypting/decrypting configuration file content are implemented. Program would explicitly retrieve appropriate content from configuration file then decrypt it appropriately.  Disadvantages of this implementation would be the added overhead for maintaining the encryption/decryption code as well the burden of always ensuring sections are appropriately decrypted before use and encrypted appropriately whenever edited.
2- Leverage the .Net 4.0 Framework (The Way to go!)
Fortunately, all needed tools for protecting configuration files are built-in to the .Net 2.0/3.5/4.0 versions with very little setup needed. To encrypt connection strings, one can use the ASP.Net IIS Registration Tool (Aspnet_regiis.exe). Note that a 64-bit version of the tool also exists under the Framework64 folder for 64-bit systems. The command we need to encrypt our web.config file connection strings is simply the following:
Aspnet_regiis –pe “connectionstrings” –app “/sampleApplication” –prov “RsaProtectedConfigurationProvider”
To later decrypt this configuration section:
Aspnet_regiis –pd “connectionstrings” –app “/SampleApplication”
The following is a brief description of the command line options used in the example above. Aspnet_regiis supports many more options which you can read about in the links provided for reference below.
Option Description
-pe  Section name to encrypt
-pd  Section name to decrypt
-app  Web application name
-prov  Encryption/Decryption provider
ASP.Net automatically decrypts the content of the Web.Config file at runtime so no programming changes are needed.
Another tool, aspnet_setreg.exe is to be used if certain configuration file sections pertinent to the .Net runtime are to be encrypted. For more information on when and how to use aspnet_setreg, please refer to the references below.
Hope this helps!
Some great references concerning the topic:


Posted on Monday, January 17, 2011 11:49 AM , Tech Talk , ASP.Net 4.0 , .Net 4.0 , ASP.Net , webdev | Back to top

Comments on this post: Leveraging .Net 4.0 Framework Tools For Encrypting Web Configuration Sections

# No access to prod server
Requesting Gravatar...
One question about this approach. We looked at this a couple of years ago but had to abandon it, as we developers do not have access to run command line tools like this on production servers. So we can't generate a config file like this in prod without having someone manually do this on the server. Which the server team HATES...

So we took the custom-code-to-encrypt approach, generate our encrypted keys locally, and push these up with the rest of the app.
Left by BigJim on Jan 17, 2011 1:20 PM

# re: Leveraging .Net 4.0 Framework Tools For Encrypting Web Configuration Sections
Requesting Gravatar...
Excellent Question! Pleae take a look at the first link from in the references section of the post. Search for the section covering webfarms. That should help you :)
All the best,
Left by Sam Abraham on Jan 17, 2011 1:46 PM

Your comment:
 (will show your gravatar)

Copyright © Sam Abraham | Powered by: