Using ASPNet_Regiis to encrypt custom configuration section - can you do it?

Question

I have a web application with a custom configuration section. That section contains information I\'ld like to encrypt (was hoping to use ASPNet_RegIIS rather than do it mys

Answer 1

I am using a workaround whereby I temporarly comment out the contents of the configSections element:

<configSection>
    <!--
    <section name="CustomSection" type="" />
    -->
</configSection>

You can then run the encryption using aspnet_regiis -pef as usual. After this has run just uncomment the section and your site is ready to run.

Answer 2

For the record, I ended up with a little maintenance page to do this for me.

var currentConfig = System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration("~/");
// Unprotect
ConfigurationSection section = currentConfig.GetSection("MyCustomSection");
if (section.SectionInformation.IsProtected)
{
   section.SectionInformation.UnprotectSection();
   currentConfig.Save();
}

// Protect
if (!section.SectionInformation.IsProtected)
{
     section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
     currentConfig.Save();
}

Caveats: Your process will need write access to the config files being modified. You'll want some way to authorize who can run this. You'll generally restart the website when you Save.

Answer 3

This is a total hack, but I'm not sure that there's another way to do it without strongly naming the assembly that defines your custom section and GACifying it (although you mentioned that didn't work, either, and I'm not sure why it wouldn't). Since aspnet_regiis runs in the < drive >:\Windows\Microsoft.Net\Framework\< version > folder (in WinXP), you can copy the DLL that defines your config section into the relevant Framework\< version > folder, and then it should work.

Answer 4

aspnet_regiis must be able to bind the assembly. The normal .net binding rules apply.

I get around this by creating directory called aspnet_regiis_bin in the same directory as aspnet_regiis.exe and an aspnet_regiis.exe.config file with aspnet_regiis_bin as a private path like this:

<configuration>
   <runtime>
      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
         <probing privatePath="aspnet_regiis_bin"/>
      </assemblyBinding>
   </runtime>
</configuration>

I then copy the assemblies that define the custom configuration sections into aspnet_regiis_bin so that aspnet_regiis can find them.

This procedure doesn't require the assemblies to be strong named or in the GAC but does require messing around in the framework directories.

Answer 5

The answer that is shown as correct is correct. I wanted to add a comment but could not because this is too long of a comment (sample config entries).

The section name should use the full name of the assemblies. A runtime assembly qualification does not work with aspnet_regiis.exe.

This WORKS:

<configSections>
  <section name="securityConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Security.Configuration.SecuritySettings, Microsoft.Practices.EnterpriseLibrary.Security, Version=5.0.414.0, Culture=neutral, PublicKeyToken=9c844884b2afcb9e" />
</configSections>

But this DOESN'T WORK:

<configSections>
  <section name="securityConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Security.Configuration.SecuritySettings, Microsoft.Practices.EnterpriseLibrary.Security" />
</configSections>

<runtime>
  <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
     <qualifyAssembly partialName="Microsoft.Practices.EnterpriseLibrary.Security" fullName="Microsoft.Practices.EnterpriseLibrary.Security, Version=5.0.414.0, Culture=neutral, PublicKeyToken=9c844884b2afcb9e" />
    </assemblyBinding>
</runtime>