Encrypting and Decrypting Configuration Sections

[nandagopal]

You can encrypt and decrypt sections of a Web.config file using different ways with ProtectedConfigurationProvider class.

The following list describes the protected configuration providers included in the .NET Framework.

·         Encrypt Configuration section of Web.Config using RSA

·         Encrypt Configuration section of Web.Config using Windows Data Protection API

·         Encrypting Web.Config file using aspnet_regiis.exe command line tool

·         Encrypting Web.Config file through code/Programming

Both the DPAPIProtectedConfigurationProvider & RSAProtectedConfigurationProvider providers offer strong encryption of data. However, if you are planning on using the same encrypted configuration file on multiple servers, such as a Web farm, only the RSAProtectedConfigurationProvider enables you to export the encryption keys and import them on another server.

You can use aspnet_regiis.exe to encrypt sections of the Web.config file and manage encryption keys. ASP.NET decrypts the configuration file when it processes the file. Therefore, decryption does not require any additional code.

How to add RsaProtectedConfigurationProvider configuration in web.config

You specify a protected configuration provider in the configProtectedData section of a configuration file. If you want to specify your own provider with custom settings, you can declare a new provider instance using the add element of the providers element. You can identify your provider instance as the default provider using the defaultProvider attribute of the configProtectedData element. See the example below.

Code Select Expand

Listing 6
<configuration>
  <configProtectedData defaultProvider="SampleProvider">
    <providers>
      <add name="MyProvider"
        type="System.Configuration.RsaProtectedConfigurationProvider,
              System.Configuration, Version=2.0.0.0, Culture=neutral,
              PublicKeyToken=b03f5f7f11d50a3a,
             processorArchitecture=MSIL"
        keyContainerName="MySampleKeys"
        useMachineContainer="true" />
    </providers>
  </configProtectedData>
</configuration>

Each protected configuration provider exposes options that you can set using attributes of the provider's declaration in the configuration file. All providers require the type and description attribute as well as the keyName for the provider instance. Beyond that, the options are unique to each provider type.

The following are the attributes of the RsaProtectedConfigurationProvider.

Type: "System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0. 0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d0a3a, processorArchitecture=MSIL"

Description: A description of the provider instance.

KeyContainerName: The name of the RSA key container used to encrypt or decrypt the contents of the Web.config file.

UseOAEP: True to use Optimal Asymmetric Encryption Padding (OAEP) when encrypting and decrypting; otherwise, false.

CspProviderName: The name of the Windows cryptography API (crypto API) cryptographic service provider (CSP).