Can included sections in Web.config be encrypted

Question

I have an ASP.NET MVC5 website in development which I will shortly need to deploy to an IIS8 webserver. I'm trying to get the security model for the web.config file right, and in particular I want to:

• Prevent secrets in the web.config file being exposed in my source control system
• Protect the deployed web.config from prying eyes (I don't own the server).

From searching on SO and other sites I can see that there are specific tools/techniques to address each scenario:

• 'Included' sections in web.config that do not get saved to the SCCS.
• Encrypted web.config files. Or encrypted sections of the file to be more precise.

I'm fine with both of those, but I can not for the life of me see how to combine the two techniques to solve both problems simultaneously. Is it possible to encrypt an external section? Is this even the right approach given that many of the answers are several years old now and address older versions of ASP.NET/MVC.

I can't be the first do want to do this so I'm sure I'm missing something obvious.

It has been suggested that this might already be answered here, however that question is about encrypting sections in the main web.config file, and I am asking about encrypting external sections. By that I mean sections that are 'included' using the configSource XML attribute.

Answer 1

It's probably bad form to answer ones own question, but I had a flash of inspiration and after a couple of hours of experimentation I have it working how I want.

The bit I had got all wrong was that I was trying to encrypt the external files. It does not work like that. Here's how it does work, at least, this is how it works for me on an IIS8.5 and ASP.NET v4.0.30319 server.

ConnectionStrings

1. Create the connectionStrings section in a separate file, e.g. Web.connectionStrings.config:

   <?xml version="1.0"?>
   <connectionStrings>
     <add name="MyConnection" connectionString="{your connection string here}" 
         providerName="System.Data.SqlClient" />
   </connectionStrings>
   

2. Ref this file from web.config:

   <connectionStrings configSource="Web.connectionStrings.config" />
   

3. Make sure the external file is not under source code control so it does not get uploaded to your SCCS.

4. Deploy BOTH files, either as part of your deployment process or deploy the secure file manually if you're really paranoid.

5. Encrypt the connectionStrings section of the web.config normally, using the aspnet_regiis.exe command mentioned in the article mentioned by Afzaal. This process actually encrypts the contents of the Web.connectionStrings.config file and leaves the web.config file unchanged. You need to leave the external file in place but as it is now encrypted this is quite safe.

appSettings

1. Create your security-critical settings in a separate file, e.g. Web.appSettings.config.

   <?xml version="1.0"?>
   <appSettings>
     <add key="wc1" value="web.app.config1" />
     <add key="wc2" value="web.app.config2" />
   </appSettings>
   

2. Ref this file from web.config:

     <appSettings file="Web.App.config">
       {other non-secure appSettings}
     </appSettings>
   

3. Again, ensure the secure file is not under source control, and deploy both files to the production server.

4. Encrypt the appSettings section of the web.config file.

Unlike the connectionStrings section, this does not alter the external file at all. Instead, settings from both web.config and the external file are merged (external file takes precedence if duplicate keys are encountered) and are stored in an encrypted form in web.config.

At this point you can remove the Web.appSettings.config file as its contents are now incorporated into the main file.

Points to note:

• If you introduce another Web.appSettings.config file at a later time, and restart the site, the contents of that file will override the encrypted settings in web.config. This may or may not be useful. When you remove the file and restart the site, the settings revert to the encrypted ones again.
• If you decrypt the appSettings section, ALL the current settings are written back into the main web.config file, including those that originally came from the external file. You'll need to remember to remove them if you're just changing a setting and then re-encrypting the file again.