Encrypting configuration sections using aspnet_regiis

Question

I'm trying to use aspnet_regiis -pef to encrypt configuration sections and protect sensitive data. I've managed to do that successfully for sections like connectionStrings and system.webServer but I'm interested in encrypting specific sub-sections (or even specific attributes if possible).

For example, I'd like to be able to encrypt the authentication section which is under system.webServer/security/authentication in the config. Or, ideally, I'd like to be able to encrypt an attribute or an element value only. Put it differently, I'd like to be able to give it an xpath and just have that specific part of the XML encrypted.

Is this possible? And is is there a way to retrieve all the sections that can be encrypted?

Answer 1

From what I can tell, you can only encrypt sections that are defined in the <configSections> block for the config file. The ones that you specify with a "path" (i.e. system.web/membership) are inside of a <sectionGroup>.

You can find the full list of default sections by opening up your machine config. See this post to find your machine.config file.

If you are looking to encrypt only certain values that you access directly in your code, you can create a custom config section and encrypt it, but if you are looking to encrypt only part of a pre-defined .NET config section, then you're probably out of luck.

Answer 2

I believe you just specify the complete path on the command line. Not sure how deep it goes though. I tried "system.web/membership" and it worked, but "system.web/membership/providers" did not.

e.g. aspnet_regiis.exe -pef "system.web/membership" "C:\MyPath"

I tried other nested sections too though and they failed, so there are obviously other restirctions in play as well.

Hope this points you in the right direction at least!