ASPNET_REGIIS -pef Vs -pe

Question

Using ASPNET_REGIIS we can encrypt the web.config using these 2 parameters:-

ASPNET_REGIIS -pef

ASPNET_REGIIS -pe

So what are the main differences between the 2 paramters?

Answer 1

If you run the executable without any options, the list of all options is outputted, and -pe and -pef state:

-pe for one can take a wider variety of arguments than -pef. Additionally, -pef expects the web-app-physical-dir to find the Web.config to encrypt, where as -pe uses virtual paths to find the file instead.

I went and tested this with a dummy website and the default provider, and it seems it doesn't do anything different. The resulting encryption used was the same:

Using -pe

<configuration>
  <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
      <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
          xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
              <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                      <KeyName>Rsa Key</KeyName>
                  </KeyInfo>
                  <CipherData>
                      <CipherValue>QKzHwFcTvWE9eQ8Ie0Aj9aIud0fgqLKYic1ljF4ellteeK+FeGzIt4lDnour8rVC5TRc1ATpVOyWuQqEUIxrMt4ADZohzC2nWEPrHposL81CeSxKcJ87fKp43c0Zj58yOZtdlHGqBEO6+0rSkzKZMy5g/RBSHPw6mp3aZgMEEbS/FtYxAMmo7MrFH22KtfeQy+zFKnpXPmsvVzniZMWMIL31W1WPQVr6UD0dNyKQw6kXiu4n0Y1Hk1d+J/TkoFh3vXbdhUPb2n5nB9Fi9+RHaErV8Qq1cMKJbtR31hXcl+WbovEL5wmP/lLlFq+jXQfkd9jqWSOFsQfDLb/nhbo9HA==</CipherValue>
                  </CipherData>
              </EncryptedKey>
          </KeyInfo>
          <CipherData>
              <CipherValue>3GhtZKsRwBrowqvYfv/5PzvoABJ0CQrMkW6hUBWQNYCAVkBJRV2WB++Z6+z/9X/lnLUwsLPJfz/qeqRfdLsuO9tGcJNgQ7KTSUcLqBuh8/Ri5p90noo1g9DPbqsFrxV1ZscCv5m1dwqCVNxemPpA1jdwldeSGlofEYw6+Wc+SKwyp140jdmnww5CEFaNPQ3FBIPNBrYmSIarD9F6B+SJhg==</CipherValue>
          </CipherData>
      </EncryptedData>
  </connectionStrings>
  ...

Using -pef:

<configuration>
  <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
      <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
          xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
              <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                      <KeyName>Rsa Key</KeyName>
                  </KeyInfo>
                  <CipherData>
                      <CipherValue>FYJXmZR7kplM8KdjBQVPERWjrQhO9Em7gUuLm1nLKe7r2JJ6AdsfvHWeWcZ57t2/CD9w0sfFLMBjWy1DFiVjpI6wy/XOu3fPQVzDO11db9KgOaCRLU587evQ8/lJDGFCSgz/p6XuFrqBIHRXig6eOr61n0b+cWlbUn5qxoLEdMZmYTlpvkuYgeVoO0auUczZaggATFdRCCHnNQSAQkZMOH1CvudbmJg6erMgydJfhbaxtCripcD+peMheAaSZoubWMUybEabE+nZt8KRb2JZANsdN0FY+jNJE2BBvwK2JH+/MQppFFwndxu5l/aoeOCNtHlU2/YgOl5BqG1l3HER+A==</CipherValue>
                  </CipherData>
              </EncryptedKey>
          </KeyInfo>
          <CipherData>
              <CipherValue>RvBFSRE9Di4BlTK2B+7agALgV64H4qWRmXbMtfw5iSkvHxnKOPCUuW3T9Gn3er/GW59w001VmwgXLyaW3FomKQjxOmO/PBDOWN32SkKDQHNTBJg4ifcpXb7/mH5rHg+Am2fr2ezAsqRFJN1+kGNB0ixgL+PrfqFZFKLYj2x8lB6my85Ex9rDGXXzl/t7Au6I5ZBY0uxa5uEb5iOwqYCVGA==</CipherValue>
          </CipherData>
      </EncryptedData>
  </connectionStrings>
   ...

Apart from usage differences, there doesn't appear to be any differences in terms of how it encrypts.