Caveman's Blog

My commitment to learning.

Encrypting the Web.Config configurations

with one comment


The web.config is a file that is not accessible to the user of a web application via a browser. The dotnet framework shields this file from all kinds of external intrusion. However someone having access to the physical file can steal sensitive information.

This vulnerability can be overcome by using aspnet_regiis, an in-build ASP.Net tool.  Following these simple steps, sections of the web.config can be encrypted (and/or decrypted) to secure the configuration settings:

Step 1: Encrypt connection Strings in the web.config. This command uses RSAProtectedConfigurationProvider (uses TripleDES and RSA encryption) for encrypting sections of the web.config file. This command has to be executed in a Visual Studio 2005/2008 command prompt window at the location where the web.config resides:

aspnet_regiis -pef connectionStrings .

Step 2: Adding users to the ACL of the key containers using the –pa parameter. Give access to the ASP.NET user:

aspnet_regiis -pa “NetFrameworkConfigurationKey” “ASPNET”

Step 3: Decrypt Connection Strings to clear text

aspnet_regiis -pdf connectionStrings .

The best part is that, the web application code does not have to change one bit after the encryption of web.config file. Following is a before and after view of the Connection Strings section of a web.config file:

Before:

<connectionStrings>
  <add name="MembershipConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\LOCALDB.MDF;Integrated Security=True;User Instance=True"
  providerName="System.Data.SqlClient" />
</connectionStrings>

After:

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
  xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <KeyName>Rsa Key</KeyName>
        </KeyInfo>
        <CipherData>
          <CipherValue>Qnp5eTaECH2wMwlRJjne61lKvEcRfZ3NDeCUhtw+wRKPmmY3Z3iZPBowIZwclU6gjdmY48/dhAEdUCLmzM5iEfHmPoyli+LMW5Yz1pQZM8I7iTFLLgeKux1CgUwP+bUtCpvP66Vu5wL5/veYSiR7kGzu/FgH+8vM6M3SYusHVGQ=</CipherValue>
        </CipherData>
      </EncryptedKey>
    </KeyInfo>
    <CipherData>
      <CipherValue>BPA8J8Vue27wc4COgJ2Pfk9XCe7umTNAKdTJ2WnsyIg/zpEpdL4H6zxE0b5DBFehWTARRAtxfJhNUz4mp+QZvBZ0Iod1utujiXP0+EiWZpY8v31s94lgFhE88cH/CoF/vZgHYyDfedBTtJtUyN1xpegxzHHy38IwDElXUhb3UHP3X3nRWPJ0AohYz8xZZRMzn8MEDJDWCoKErwtMpUbE08AEZHDQSU6ITSn5urNrgS+V2CYYwhY3t1VbA2b+mEQFxVin4bEvOl+O8HGl2kzPtq5rhN60FnbxjPyHwCeHvl8JOzjk/ND8go/w49N61eGrGOH2xFNFPw2mhGVkJD5Lm8nn7xeo30YSS+Ct9uGzLfs=</CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

Tip: Here is how to secure appsettings

Encrypt appSettings: aspnet_regiis -pef appSettings .

Decrypt appSettings: aspnet_regiis -pdf appSettings .

References:
1. How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
2. Encrypting configuration files using protected configuration

Advertisements

One Response

Subscribe to comments with RSS.

  1. Thanks for your articles about multiple config files and web.config encryption. Now, the question is how to encrypt a section, located in separated config file.

    Dmitry

    October 1, 2009 at 1:17 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: