Read encrypted connection string in Machine.config from Powershell

Question

Is it possible to read the encrypted connection string in Machine.config from Powershell script?

Due to security reason, we are trying to move the hardcoded connection string from PowerShell script to Machine.config

Update: Powershell script is supposed to read the connection string from Machine.config (Encrypted through aspnet_regiis) and connect to the DB.

Answer 1

The previous answer was largely correct, I did have to make a couple minor changes to get it working on my system with respects to the 'path' and 'appConfig' variables. For this script to work I am placing the powershell script in the same folder as the exe and config file I'm working with.

#This script will encrypt/decrypt the section specified in the sectionName variable of a .net configuration file
#using the DataProtectionConfigurationProvider method of encryption/decryption.
#Place this file in the same folder as the executable/config file and run it, be sure to update the 'appConfig'
#and 'sectionName' variables accordingly.

$path = Get-Location
$appConfig = "ServionDataRecovery.exe"
$sectionName = "connectionStrings"
$dataProtectionProvider = "DataProtectionConfigurationProvider"

if (-not (Test-Path $appConfig) ) { throw "Unable to find $($appConfig) $($path)" }

$configuration = [System.Configuration.ConfigurationManager]::OpenExeConfiguration("$path\$appConfig")
$section = $configuration.GetSection($sectionName)
if (-not $section.SectionInformation.IsProtected) {
$section.SectionInformation.ProtectSection($dataProtectionProvider)
$section.SectionInformation.ForceSave = $true
$configuration.Save([System.Configuration.ConfigurationSaveMode]::Full)
Write-Host "$($sectionName) in $($appConfig) has been protected from casual users"
}
else {
Write-Host "$($sectionName) in $($appConfig) is already protected"
$section.SectionInformation.UnprotectSection()
$section.SectionInformation.ForceSave = $true
$configuration.Save([System.Configuration.ConfigurationSaveMode]::Full)
Write-Host "$($sectionName) in $($appConfig) protection removed"

}

Answer 2

I'm not sure where PowerShell figures into your question. If you use a built-in command like aspnet_regiis.exe to encrypt a configuration section, then your IIS site is unaware that the section is encrypted.

I'm not sure how putting something in machine.config is going to make an app more secure since anything that reads it transparently would work for any app on that machine.

The way .net configs work is you have an some.exe and it has a some.exe.config file. When you deploy some.exe you can (should?) include a step to encrypt sensitive sections. The app would still just read the data, unaware that it's been encrypted.

But again that is the app, not powershell that's reading the encrypted value.

Here's a section of a script I use that encrypts/decrypts sections. Use carefully since data encrypted can only be decrypted on the same machine (and likely the same OS). YMMV

$appConfig = "your.exe"
$sectionName = "appSettings"
$dataProtectionProvider = "DataProtectionConfigurationProvider"

if (-not (Test-Path $path) ) { throw "Unable to find $($appConfig) $($path)" }

$configuration = [System.Configuration.ConfigurationManager]::OpenExeConfiguration($path)
$section = $configuration.GetSection($sectionName)
if (-not $section.SectionInformation.IsProtected) {
    $section.SectionInformation.ProtectSection($dataProtectionProvider)
    $section.SectionInformation.ForceSave = $true
    $configuration.Save([System.Configuration.ConfigurationSaveMode]::Full)
    Write-Information -Message "$($sectionName) in $($appConfig) has been protected from casual users"
}
else {
    Write-Information -Message "$($sectionName) in $($appConfig) is already protected"
    $section.SectionInformation.UnprotectSection()
    $section.SectionInformation.ForceSave = $true
    $configuration.Save([System.Configuration.ConfigurationSaveMode]::Full)
    Write-Information -Message "$($sectionName) in $($appConfig) protection removed"
}

This is a snippet of a full script to encrypt/decrypt config sections.