Considering the industry I work in even simple apps with little or no sensitive are subject to every security penetration test available. If you are creating web apps that have access to a data layer you are inevitably confronted with the question of where and how to store your database connection strings (or other sensitive data). Thankfully most of us are miles away from INI files, registry keys and *GULP* hardcoding in the app itself.

The .NET Framework versions 1.x had limited support for configuration file encryption. However, .NET Framework 2.0 introduced a protected configuration feature that you can use to encrypt sensitive settings using a command line. The following two protected configuration providers are provided out the box:

  • RSAProtectedConfigurationProvider - This is the default provider and uses the RSA public key encryption to encrypt and decrypt data.
  • DPAPIProtectedConfigurationProvider - This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <someAppSettings>
        <add key="secret" value="lightoftheworld" />
    </someAppSettings>
</configuration>

Open the Visual Studio 2010 command prompt and navigate to the folder web.config file and run the following command:
aspnet_regiis -pef someAppSettings . -prov DataProtectionConfigurationProvider


This will modify only the portion of the config within the “someAppSettings” section:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <secureAppSettings configProtectionProvider="DataProtectionConfigurationProvider">
        <EncryptedData>
            <CipherData>
                <CipherValue>ASDAASNCMnd.......</CipherValue>
            </CipherData>
        </EncryptedData>
    </secureAppSettings>
</configuration>


You can also perform the encryption\decryption step via code and as shown here:

static void ToggleWebEncrypt()
{
    // Open the Web.config file and get the connectionStrings section.
    Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
    var section = config.GetSection("connectionStrings") as ConnectionStringsSection;

    // Toggle encryption.
    if (section.SectionInformation.IsProtected)
        section.SectionInformation.UnprotectSection();
    else
        section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");

    //If you have used the alternate provider this will change as follows:
    //section.SectionInformation.ProtectSection("DPAPIProtectedConfigurationProvider");

    // Save changes to the Web.config file.
    config.Save();
}


ASP.NET automatically decrypts configuration sections when processing them; therefore, you do not need to write any additional decryption code. Be safe out there!