Encrypt ConnectionString in Web.Config

Yamin Khakhu

4.87/5 (46 votes)

15 Jul 2014CPOL3 min read

337.4K

4.7K

Encrypting the configuration in Web.Config

Download EncryptWebConfig.zip - 5 KB

Introduction

The tip gives you information about how to encrypt the connection string in Web.Config to increase the security and keep the connection with the database secure. There is so much other sensitive information that can be encrypted but in this tip, I'll particularly talk about encrypting the ConnectionString in Web.Config file.

Why It Is Important?

Encrypting sensitive sections of the Web.Config is important because they are just that, sensitive. Think about production Web.Config file. It may contain all information that requires running your web application. There are often passwords for SQL database connections, SMTP server, API Keys, or other critical information. In addition to this, Web.Config files are usually treated as just another source code file, that means, any developer on the team, or more accurately anyone with access to the source code, can see what information is stored in Web.Config file.

Encrypting the Connection String

In our example, we will encrypt ConnectionString in our Web.Config file.

Before Encrypting Web.Config

If you look at the below Config file, it can be easily readable. This doesn't seem to be secure if anyone has access to your Web.Config file.

XML

<configuration>
  <connectionStrings>
    <add name="SqlServices" connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
  </connectionStrings>
</configuration>

Encrypting Web.Config

Open Command Prompt with Administrator privileges

At the Command Prompt, enter:

XML

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319

In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString:
```
ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"
```
Use Aspnet_regiis.exe tool with the –pef option and specify the application path as shown above.

Note: The parameter "connectionStrings" is case sensitive.

After Encrypting Web.Config

After encrypting your ConnectionStrings section, your ConnectionStrings will not be in a readable format.

XML

<configuration>
  <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>ZbDTF00MYzUUW5U3w3PU0rfiAH1UKhvuLSNWPmB/YifBKne6HAWfVc3CnKVimyP8SFyamaR5oAIAxj/xavfpox8EOYXNI+afsksiuA5huSDupCZKNuXq+VCZrdIyn6YOq+W7s3Ojlu7q9VwKcoKurl28l2hcPvWkBk11KYB7hr0=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>42IPPRUjJxCNDHEBLCAJI4/NyLpLueZSBzUXO69lVdZU8+nLpxO+opnbZNxqddyzNnbCO1Uk2Da3ljExkqnLIxT2zs90JAhZvJ5ljIgCipq7ZEp7zHOpvTH9fBGoZJJWhgdddOrHZsLDE9mILjlvBHDhPQrYcMHtY6oLIbxJq92it82iBJv0fS7v1S/o0p4hAtfky+6hXCZWSKUJHr88NDrKe2EEK3mazD2QD5Ozf/w=</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>
</configuration>

Accessing Decrypted Configuration Settings

It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code. Isn't that interesting?

string ConnString = ConfigurationManager.ConnectionStrings[1].ToString();

Decrypting the Connection String

Is it possible to decrypt my Web.Config so that I can read it in original format?

Yes, it is possible.

Simply perform the following command to decrypt the connectionStrings element in the Web.config file.

ASPNET_REGIIS -pdf "connectionStrings" "D:\Articles\EncryptWebConfig"

Note: The parameter "connectionStrings" is case sensitive.

Questions and Answers

1. You might ask me a question if Web.Config file can be encrypted and decrypted using ASPNET_REGIIS then anyone who has access to Web.Config file can decrypt the content, right?

To answer this question, I would say no, if you encrypt your Config file, then your machine would store your keys and if you copy the Config file to a different system and try to decrypt it, then you might get an error.

Pros

Web.Config sensitive information is not in a readable condition (after encryption)
You don't have to explicitly write code to decrypt the Web.Config file as ASP.NET automatically decrypts the configuration and processes your request

Cons

You can't modify the encrypted content on the fly. It requires you to decrypt the content before editing.

Points of Interest

Web.Config encryption only takes a couple moments and provides much more security than a clear-text file. It may not be enough to thwart a hacker that has full access to your entire server.

I'm encrypting all my sensitive data stored in Web.Config after learning the concept of encryption. How about you?

History

07/11/2014: Created
07/15/2014: Updated broken link to download source code.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)