How to encrypt one entry in web.config

asp.net encryption web-config
Stan picture Stan · Jun 3, 2011 · Viewed 32.3k times · Source

ASP.NET 4

I've used RSA key encryption for connection strings in web.config on my web farm. However, there's one more custom password entry that I'd like to encrypt. How should I encrypt it with RSA key without having the rest configurations being encrypted. Please advise, thanks.

Example:

  <appSettings>
        ...
    <add key="Host" value="www.foo.com" />
    <add key="Token" value="qwerqwre" />
    <add key="AccountId" value="123" />
    <add key="DepartmentId" value="456" />
    <add key="Password" value="asdfasdf" />
    <add key="SessionEmail" value="[email protected]" />
    <add key="DefaultFolder" value="789" />
  </appSettings>

Answer

Darin Dimitrov picture Darin Dimitrov · Jun 3, 2011

You could put the password into a separate section and encrypt this section only. For example:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
        <section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </configSections>

    <appSettings>
        <add key="Host" value="www.foo.com" />
        <add key="Token" value="qwerqwre" />
        <add key="AccountId" value="123" />
        <add key="DepartmentId" value="456" />
        <add key="SessionEmail" value="[email protected]" />
        <add key="DefaultFolder" value="789" />  
    </appSettings>

    <secureAppSettings>
        <add key="Password" value="asdfasdf" />
    </secureAppSettings>  
</configuration>

and then (note that I am using DPAPI in my example so adapt the provider for RSA):

aspnet_regiis -pef secureAppSettings . -prov DataProtectionConfigurationProvider

Once encrypted the file will look like this:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
        <section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </configSections>

    <appSettings>
        <add key="Host" value="www.foo.com" />
        <add key="Token" value="qwerqwre" />
        <add key="AccountId" value="123" />
        <add key="DepartmentId" value="456" />
        <add key="SessionEmail" value="[email protected]" />
        <add key="DefaultFolder" value="789" />  
    </appSettings>

    <secureAppSettings configProtectionProvider="DataProtectionConfigurationProvider">
        <EncryptedData>
            <CipherData>
                <CipherValue>AQAAANCMnd.......</CipherValue>
            </CipherData>
        </EncryptedData>
    </secureAppSettings>  
</configuration>

The way you would access those settings in your application once the file is encrypted is still the same and completely transparent:

var host = ConfigurationManager.AppSettings["Host"];
var password = ConfigurationManager.AppSettings["Password"];

Related questions

Adding machineKey to machine.config

I would like to add the machineKey to my machine.config since I am working with programmatic encryption of web.config connection strings in a web farm scenario. My question is, where do I place the machineKey in the machine.…

Read More
Best Practices for Passing Data Between Pages

The Problem In the stack that we re-use between projects, we are putting a little bit too much data in the session for passing data between pages. This was good in theory because it prevents tampering, replay attacks, and so …

Read More
Decrypting an 'Encrypted' password from ASP.NET 2.0 Membership

I have a requirement to decrypt the Encrypted (not Hashed) passwords located in my aspnet_Membership table. In that database I see the Password (Encrypted) and PasswordSalt fields, and I can look at my web.config to find the machinekey &…

Read More