Encrypting Web.Config

Question

I am going to encrypt appSettings in Web.config:

Many ways worked on local, but the issue is I need to encrypt/decrypt webconfig many times on production server, and I don't want to Network admins, to change web.config permissions every time we do this?

is there any better way of securing appsettings?

Answer 1

You can use aspnet_regiis.exe application that comes with the .net framework(NOTE: every framework is having a different aspnet_regiis.exe application)

If your application is in framework 2.0 you can use aspnet_regiss.exe -pef or aspnet_regiss.exe -pe for encrypting the selected section from your configuration file.

for more information you can refer to the link

http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx

Hope the information gets you a resolution!!!!!! :)

Answer 2

aspnet_regiis -pe is the method Im assuming you are referring to.

First, this should occur only when you deploy to the server (which you are prob planning on). Secondly, net admins just need to run an admin prompt to do this - they don't need to change permissions on the file. I talk about this a little in the video at: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/DEV333

Answer 3

I would recommend you have your application encrypt the values after it is started. That will make sure that the values are always encrypted.

Then keep the values unencrypted in your source control tree or the installer files that you use to deploy the application.

Answer 4

If you want to secure the appsettings content this way you have to do it. But there may be issues if you want to deploy the web app in a farm. In the case you may have to look at Creating and Exporting an RSA Key Container. Or you can have the appsettings values to a database and read it from there.