Wednesday, January 21, 2009

How to Encrypt a Section in Web.Config?

It is often required to encrypt usernames, passwords or even connection string in the web.config file. The usual method to do is using any of the encryption algorithm and saving the encryption Key in the config file. .NET has provided with a classic feature of encrypting an entire section in the web.config file. Using this feature .NET saves the key in the Machine.key file. User ONLY needs to encrypt the section in the web.config file, the decryption of the section is taken care by the .NET framework. Here is a step by step procedure on encrypting a section:

Section in Web.config


<!-- User Credentials -->
<ImpersonateUser>
<add key ="domain" value ="domain_name"/>
<add key ="username" value ="user_name"/>
<add key ="password" value ="password"/>
</ImpersonateUser>

Step 1:
Open the Visual Studio Command Prompt in Administrative Mode
Go to Start --> Programs --> Visual Studio 2008 --> Visual Studio Tools --> Visual Studio Command Prompt right click and say "Run as Administrator"

Step 2:
Type the following command:
aspnet_regiis -pef "ImpersonateUser" "D:\SourceCode\RootFolder" -prov "RsaProtectedConfigurationProvider"
The web.config file should be present at the path "D:\SourceCode\RootFolder". The actual command looks like:
aspnet_regiis -pef "SECTION_NAME" "PATH_TILL_WEB.CONFIG" -prov "ENCRYPTION_PROVIDER"

Step 3:
Run the above command.
The above command will encrypt the ImpersonateUser section in the web.config file and will save the web.config file at the given location. The encrypted section will look like:

<ImpersonateUser configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>nQGcFhli6gRmNXD1vjJG+fQw8nN80NwaXjKsVDsSbcoLqAmbKPDhZZvXw1E81uY6+3AhmUzp1SQSTavIVKjj8RvQI21LzaSSc8UUwo7Q7ZRHeBCpyQE+xRs9BlvsXjyn0oX/q5Ns4uoRU3OEkJlcYmFizrGG7YuHdvogh8+wFLE=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>YJODT4I4FKNuUqG3o3QEn8UGXS3jSeFjkVsE2r+jQuBy6fqh4Uc/psu49Rr0SgsDlx7RDm+yIzztRki7ETgNCaSwkkX0h3TXsnJv8jA+FuRmOqIXU8sfjF/5p1KNRkj8l1yzFueom2llRpjprclTvxlTVUQopOTXuodBV3dFnqnqTe/gu70GOqdNooNyWgn02hvG5GjL4mXdb8iMGDMJSrgin6E3nYMrkV71nMkPXi8+MeenWfRWQ1BH8BNblC9R</CipherValue>
</CipherData>
</EncryptedData>
</ImpersonateUser>

Most important thing is, while using the web.config key’s in the C# code we DO NOT have to decrypt the section. .NET automatically does it and provides us with the decrypted values.

Hope this helps. Your comments will help us improve :)

7 comments:

James said...

I have followed the steps you have mentioned above. It works great on the developer's environment, but throws an error in production. The error says - Unable to access RSA configuration.

Can you please provide the solution?

Sandeep Aparajit said...

It seems that your ASP.NET or the Network Service account does not have the required premission. Use the following command:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "ASPNET"
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service".

Hope this helps you :)

Offshore Software Development India said...

Hey Sandeep m having the permission. And its working well. Exactly what I needed.

Bharath Reddy VasiReddy said...

nice articel...

Bharath Reddy VasiReddy said...

Hi article was very nice...

Can any one tell me how to encrypt specific portion of my web.config file like, i have many appSettings tags for storing differenct values and few usernames and passwords. I want to encrypt only few key/value pairs..not all...it is posible if so how....

thanks
bharath reddy vasireddy

Anonymous said...

Hi sandeep,

I am a fresher working on a project in which i have been assigned to encrypt the username name and pwd.
So is the above procedure sufficient or do i need to make any other changes.
In a book about .Net for beginners it talks about Hashing the password.
So im confused can u pls lemme know how and which method to follow on encrypting username and password of login page.

Mohd Hameed said...

Hi, Thanks working perfectly....

Post a Comment