CODEWITHSUNDEEP
c#asp.netvb.netvisual-studioweb-config
user1481183
user1481183

Reputation: 368

Encrypting web.config sections

In a .NET 4.0 website, which web.config sections can be encrypted? I read that not all sections can be encrypted, but I can't find anything detailing which sections can.

Upvotes: 3

Views: 4192

Answers (3)

Malik Khalil Ahmad
Malik Khalil Ahmad

Reputation: 6915

Configuration files such as the Web.config file are often used to hold sensitive information, including user names, passwords, db connection strings, and encryption keys.That's why we should always keep those sensitive sections in encrypted form.

Sections you can encrypt :

  • <appSettings>
  • <connectionStrings>
  • <identity>
  • <sessionState>

Sections you can't encrypt :

  • <processModel>
  • <runtime>
  • <mscorlib>
  • <startup>
  • <system.runtime.remoting>
  • <configProtectedData>
  • <satelliteassemblies>
  • <cryptographySettings>
  • <cryptoNameMapping>

Remember : Encrypting and decrypting data incurs performance overhead. To keep this overhead to a minimum, encrypt only the sections of your configuration file that store sensitive data.

Upvotes: 0

Dev-Systematix
Dev-Systematix

Reputation: 449

To Encrypt

go to below directory in command prompt C:\Windows\Microsoft.NET\Framework\v4.0.30319>

  1. Encrypt command for connectionStrings web config section and encrypt ShopAPI IIS application web.config file.

aspnet_regiis -pe "connectionStrings" -app "/ShopAPI"

aspnet_regiis -pd "connectionStrings" -app "/ShopAPI"

Upvotes: 0

Leniel Maccaferri
Leniel Maccaferri

Reputation: 102378

From the MSDN docs, it's clear that one can encrypt and decrypt a web.config section using the Aspnet_regiis.exe tool with the –pe option and the name of the configuration element to be encrypted as long as the section is not one of these ones:

The following is a list of configuration sections that cannot be encrypted using protected configuration: processModel, runtime, mscorlib, startup, system.runtime.remoting, configProtectedData, satelliteassemblies, cryptographySettings, cryptoNameMapping, and cryptoClasses. It is recommended that you use other means of encrypting sensitive information, such as the ASP.NET Set Registry console application (Aspnet_setreg.exe) tool, to protect sensitive information in these configuration sections.

Here's what you need to encrypt all other possible sections:

Encrypting and Decrypting Configuration Sections

Walkthrough: Encrypting Configuration Information Using Protected Configuration

Upvotes: 2

Related Questions