Introduction
After my previous article on connectionstrings, I got a lot of feedback to write on encryption techniques available in Visual Studio 2005 commonly known as Whidbey. So here's an article that introduces you to the techniques available to encrypt sections of the web.config file.
By default, ASP.NET 2.0 supports XML encryptions for some of the sections. But there are some other sections like the connection strings etc. which need to be encrypted and kept secure. One of the best things that Microsoft has done even with ASP.NET 1.x is that you can't access the web.config file of any web application in a remote computer, thereby enhancing the security. But Web.config is an XML file and hence text based, and so it can be manipulated by authenticated/unauthenticated users by using different means. Protecting the sections of the web.config file is a problem in ASP.NET 1.x and developers had to write their own utilities to secure the web.config section.
What's there in ASP.NET 2.0
In ASP.NET 2.0, we have a section called ProtectedData which contains two subsections:
- Providers
- ProtectedDataSections
Providers section holds the name of the protection providers available in ASP.NET. ProtectedDataSection is the section where you can specify the name of the section to be encrypted and also the type of encryption which can be taken from the Providers section.
<protectedData defaultProvider="RSAProtectedConfigurationProvider">
<providers>
<add name="RSAProtectedConfigurationProvider"
type="…"
keyName="RSA Key"
keyContainerName="NetFrameworkConfigurationKey"
cspProviderName=""
useMachineContainer="true" />
<add name="DataProtectionConfigurationProvider"
type="…"
keyName="Net Framework DPAPI Key"
keyEntropy=""
useMachineProtection="true" />
</providers>
<protectedDataSections>
………
…….
……
</protectedDataSections>
</protectedData>
This is the way by which you can encrypt most of the sections of Web.Config. Apart from that, you can encrypt the ConnectionString before putting it into the Web.Config file. This can be achieved by using aspnet_regiis.exe.
A simple way to use aspnet_regiis to encrypt connection strings for the MyData application:
aspnet_regiis.exe –pe connectionStrings –app /MyData
On doing this, your ConnectionStrings section will be encrypted and will not look like a clear text any more. For decrypting it, you can use:
aspnet_regiis.exe –pd connectionStrings –app /MyData
You can also add onto the aspnet_regiis.exe tool, you are also free to use any of the third party software to encrypt and decrypt sections of the web.Config.
Happy coding in Whidbey!
Nishith Pathak is an avid reader,Prolific writer, Speaker for Microsoft India,Published Author of APress and a Microsoft Purist.He is MVP, MCPD, MCTS MCSD.Net,MCAD.Net(EA),MCSD. His proficiency lies in exploring Microsoft technology and to share them with other peers. He is a contributing author and an avid technical reviewer for multiple electronic and print publications. He has recently co-authored a book on WCF called Pro WCF: Microsoft Practical SOA Implementation for APress Inc, USA. Over the years, he has also been involved in providing consultancy and training services to corporations. He has been awarded with Microsoft Most Valuable Professional (MVP).Working since beta version of .Net makes his competecy in .Net. He can be contacted at NisPathak@Hotmail.com or at his blog http://DotNetPathak.Blogspot.com. Currently he is focused on key areas of the Microsoft platform, specifically Distributed Computing, service orientation and exploring VISTA and help companies architecting solutions based on Service Oriented Architecture.