I am developing a web app which requires a username and password to be stored in the web.Config, it also refers to some URLs which will be requested by the web app itself an
EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.
Sample on codeproject:
Encryption of Connection Strings inside the Web.config in ASP.Net 2.0
Use aspnet_setreg.exe http://support.microsoft.com/kb/329290
While on the first glance it seems to be straightforward, there are a couple of hurdles I encountered.
So I am providing steps that worked fine for me (to encrypt the appSettings section) using the default crypto provider:
Encrypt sections in the web.config:
C:
which is assumed for the steps below.D:\Apps\myApp
- replace this by the path you're using in step 3.cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319"
, on 32 bit Windows systems use Framework
instead of Framework64
cd /D "D:\Apps\myApp"
/D
switch will change the drive automatically if it is different from your current drive. Here it will change the path and drive, so the current directory will be D:\Apps\myApp
afterwards.c:aspnet_regiis -pef appConfig .
You should see this message:
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Encrypting configuration section... Succeeded!
You can also Decrypt sections in the web.config:
These are the same steps, but with option -pdf
instead of -pef
for aspnet_regiis.
It is also possible to encrypt other sections of your web.config, for example you can encrypt the connection strings section via:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
More details about that can be found here.
Note: The encryption above is transparent to your web application, i.e. your web application doesn't recognize that the settings are encrypted.
You can also choose to use non-transparent encryption, for example by using Microsoft's DPAPI or by using AES along with the Framework's AES Class.
How it is done with DPAPI I have described here at Stackoverflow. DPAPI works very similar in a sense that it uses the machine's or user credential's keys. Generally, non-transparent encryption gives you more control, for instance you can add a SALT, or you can use a key based on a user's passphrase. If you want to know more about how to generate a key from a passphrase, look here.