Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / DevOps

Encrypting Applications web.config Using .NET Framework Utility

4.20/5 (9 votes)
21 Oct 2015CPOL4 min read 24.7K  
This tip is about encrypting web.cofig file using aspnet_regiis utility of .NET Framework.

Introduction

This tip is about how to encrypt your web.config sections like appSettings, connectionStrings, etc. before deploying to Dev, QA or PROD server using .NET Framework utility aspnet_regiis.

Background

Recently, I went through different articles, Q&As to find out how we can encrypt the web.config sensitive data before it is deployed onto server. It may be a single machine or webfarm. I got solutions but found that it was missing one or other part, so executing particular articles steps weren't helping me in one go.

A simple scenario is, I have a .NET based web application (MVC 5), web.config of which contains sensitive information like passwords & other details, present in appSettings & connectionStrings section, which I don't want to expose to any user other than developer. I want to encrypt these & deploy on server. Now, it is webfarm so same encrypted file should work on each machine. There should be minimal efforts, & minimal code changes.

I know this might be bit old topic for intermediate/expert developers but still not all of us know these simple steps & the easiest way to encrypt the web.config sections. Hence, I am posting this tip.

Note - I'm showing only the basic steps which would be enough to encrypt the web.config, deploy & make it running on server, how to use the same encrypted file on different servers, etc. I am not going in detail, what that step does or anything else. Keeping it short & sweet! There are articles on MSDN, CodeProject & other sites which you can refer to understand the basics & different types of encrypting.

Using the Code

Let me make some assumptions, so that commands I'm writing would be generic.

  1. Application is .NET 4.0 version based
  2. <app-Name> - This tag to be replaced with your application name. Keep suffix like Keys as it is.
  3. <path*> - This tag to be replaced with path where config/(key)xml file is present.
  4. I have tested this on Windows Server 2008 R2 where application was deployed.
  5. If certain commands fail to run, try rerunning by copy-pasting below commands in Notepad then copying from there to cmd prompt. Check for proper quotes.
  6. Importantly, run these commands under Admin privilege

In case application is to be deployed on Web farm or multiple machines, the same encrypted web.config file will not work on different machines. Hence, along with Web.Config, Container Key needs to be generated, which can be shared across the servers without modifying web.config.

Here, we are going to use RSAKeyContainer.

1.1 Action to be Performed on Local Machine by Developer

Steps 1-7 are a one time process.

C++
// 1. Run the VSTS Developer Command prompt

// 2. Type & run command
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319

// 3. Type & run command
aspnet_regiis -pc "<app-Name>Keys" -exp

// 4. To grant access to Network Service, type & run command
aspnet_regiis -pa "NetFrameworkConfigurationKey" 
"NT AUTHORITY\NETWORK SERVICE"

// 5. Similarly-
aspnet_regiis -pa "<app-Name>Keys" "NT AUTHORITY\NETWORK SERVICE"

// 6. Create empty folder in C:\ drive named Keys

// 7. Export the Container Key to xml - it will generated in C:\Keys folder you created.
aspnet_regiis -px "<app-Name>Keys" "C:\Keys\keys.xml" -pri

Now, let's encrypt appSettings & connectionString section using the key generated.

C++
// 8. Write below code in Web.Config of application just after closing of <configSections>, 
// which is a CustomProvider for encryption
XML
<configuration>
<configSections>
         //Your existing code here
</configSections>
<configProtectedData defaultProvider="MyProvider">
    <providers>
      <add name="MyProvider"
           type="System.Configuration.RsaProtectedConfigurationProvider,
           System.Configuration, Version=2.0.0.0,
           Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
           processorArchitecture=MSIL"
           keyContainerName="<app-Name>Keys"
           useMachineContainer="true"/>
    </providers>
</configProtectedData>
</configuration>
C++
// 9. Encrypt appSettings & connectionStrings using custom provider
aspnet_regiis -pef "appSettings" " <path*>" -prov "MyProvider"

aspnet_regiis -pef "connectionStrings" "<path*>" -prov "MyProvider"

<path*> - it is folder path where config file resides after publishing. 
	e.g. C:\PublishedCode\MyApplication 

Go ahead & check web.config file. You should see some encpryted code at appSettings & connectionStrings section of it.

Now, you have to share this project built code which contains encrypted web.config & key.xml container which we generated, with Network/Support team which helps you to deploy it on servers.

1.2 Action to be Performed at Server Machine

You may have AppPool created on IIS or deployment team will create for you on server. Usually, developers share their published to be deployed on to server, which deployment team then copies inside app directory.

Once, these things are done & now if you try running your application, you will see Server error, saying can't find read web.config. So, let's import the key container by which we are encrypted this config.

  1. Copy exported Container Key on Server machine in some folder (e.g. in folder C:\Keys\). Delete once below steps are performed.
  2. Run cmd.exe under admin rights - !Important
C++
// 1. Type & run command
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319

// 2. Import the key in server. Type & run command 
aspnet_regiis -pi "<app-Name>Keys" "C:\Keys\keys.xml"

// 3. Grant access. Type & run below commands one after other
aspnet_regiis -pa "NetFrameworkConfigurationKey" 
"NT AUTHORITY\NETWORK SERVICE"

// 4. Run command
aspnet_regiis -pa "<app-Name>
Keys" "NT AUTHORITY\NETWORK SERVICE"

// 5. Run command - Here replace <AppPool-Name> with your actual appPool Name on IIS
aspnet_regiis.exe -pa "<app-Name>
Keys" "IIS APPPOOL\<AppPool-Name>"
 

That's it !!! Now, restart application's apppool & try running the application. It should work as normal.

In case you get failed error in command prompt while importing the container key due to already existing key, run the below command.

C++
aspnet_regiis -pz "<app-Name>Keys"

Follow the same steps on different servers with the same exported container key.

Points of Interest

So, we learnt how one can encrypt the web.config's different sections which contain sensitive data which we don't want to expose. We learnt, use of in-built .NET Framework's utility function using command prompt for the same. Not much work, coding involved in already developed code, except the <configProtectionData> section we introduced.

For in-depth understanding of this, read more at:

Happy learning, happy coding. :)

History

  1. First version - Only commands & very brief explanation of steps

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)