How can i encrypt and then decrypt Web.config contents

Question

I have added the following setting inside my Web.config file for an asp.net mvc web application

<appSettings>
    //code goes here
    <add key="ApiUserName" value="testuser" />
    <add key="ApiPassword" value=,,,… />
    <add key="ApiURL" value="http://win-spdev:8400/servlets/AssetServlet" />
  </appSettings>

These setting are used to initiate an API call as follow inside my Controller action method:-

    using (var client = new WebClient())
                    {
                        var query = HttpUtility.ParseQueryString(string.Empty);
                        foreach (string key in formValues)
                        {
                            query[key] = this.Request.Form[key];
                        }

query["username"] = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiUserName"];
query["password"] = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiPassword"];
query["assetType"] = "Rack";
query["operation"] = "AddAsset";
string apiurl = System.Web.Configuration.WebConfigurationManager.AppSettings["ApiURL"];
var url = new UriBuilder(apiurl);

I have read the following link about encrypting and decrypting the web.config file http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx. But i am not sure how to do the encryption and decryption described in tehe link, inside my above action method ?

Answer 1

There are basically two standard ways to do it, you can use aspnet_regiis with DPAPI or with RSA. The advantage of doing it with RSA is if your application runs on multiple machines you can encrypt once with the RSA key and use the same key for decryption on all the machines where as with DPAPI you will have to encrypt each one specifically for each machine it's running on.

With DPAPI for example you basically just go to your framework directory and run the following command.

aspnet_regiis -pe "connectionStrings" -app "/MyApplication"

The command above would encrypt the connection strings for "MyApplication" which would be the name of your application in IIS. Now this must be run on the machine the app is running on so you first need to copy your app to the server. With the RSA method you can encrypt on your machine (or build server) and then deploy to whatever machine you want.

You can check out the walkthrough in details at http://msdn.microsoft.com/library/dtkwfdky.aspx

The neat thing about this is you don't have to worry about how you access your application settings and connection strings, you can just use ConfigurationManager.Appsettings and ConfigurationManager.ConnectionStrings as you would normally, the framework will take care of doing the decryption for you.