Encrypting and Decrypting Configuration Sections in .NET Applications

As you already know, You can use the ASP.NET IIS Registration Tool (Aspnet_regiis.exe) to encrypt or decrypt sections of a Web configuration file. ASP.NET will automatically decrypt encrypted configuration elements when the Web.config file is processed.

Encrypting and Decrypting a Web Configuration Section

To encrypt configuration file contents, use the Aspnet_regiis.exe tool with the –pe option and the name of the configuration element to be encrypted.

Use the –app option to identify the application for which the Web.config file will be encrypted and the -site option to identify which Web site the application is a part of. Use the –prov option to identify the name of the ProtectedConfigurationProvider that will perform the encryption and decryption. If you do not specify a provider using the -prov option, the provider configured as the defaultProvider is used.

For exmaple, the following command encrypts the connectionStrings element in the Web.config file for the application SampleApplication. Because no -site option is included, the application is assumed to be from Web site 1 (most commonly Default Web Site in IIS). The encryption is performed using the RsaProtectedConfigurationProvider specified in the machine configuration.

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"

To decrypt encrypted configuration file contents, you use the Aspnet_regiis.exe tool with the -pd switch and the name of the configuration element to be decrypted. Use the –app and -site switches to identify the application for which the Web.config file will be decrypted. You do not need to specify the –prov switch to identify the name of the ProtectedConfigurationProvider, because that information is read from the configProtectionProvider attribute of the protected configuration section.

The following command decrypts the connectionStrings element in the Web.config file for the ASP.NET application SampleApplication:

aspnet_regiis -pd "connectionStrings" -app "/SampleApplication"

Encrypting the Connection Strings in App.Config file

You need to follow the following steps for encrypting the Connection Strings in the App.Config file.

1. Renaming App.Config file to Web.Config

The aspnet_regiis.exe Command Line Utility of the Visual Studio does not recognize for App.Config files and hence we need to temporarily rename the App.Config file to Web.Config.

2. Encrypting the Connection String in App.Config using aspnet_regiis.exe tool

In order to encrypt the ConnectionString section in the App.Config file, we will need to use the aspnet_regiis.exe tool. the syntax is

aspnet_regiis.exe -pef "connectionStrings" <Path of the Folder containing the App.Config file>

Action – It notifies the action to be performed. In order to perform Encryption, the parameter value is -pef.

Section Name – The name of the section of the App.Config file to be encrypted. For this case, the value will be connectionStrings.

Path of the folder – Here we need to specify the path of the folder containing the App.Config file.

For example, the following command will encrypt all the Connection Strings present in the ConnectionStrings section

aspnet_regiis.exe -pef "connectionStrings" D:\Projects\MyTestApp

3. Renaming Web.Config file to App.Config

Once the encryption is successful, you can now rename the Web.Config file to App.Config so that it can be used in the Windows or Console applications.

4. Decrypting the Connection String in App.Config using aspnet_regiis.exe tool

In order to decrypt the ConnectionString section in the App.Config file, you will have to again rename the App.Config file to Web.Config and once the decryption is successful change its name it back to App.Config.

Syntax

aspnet_regiis.exe -pdf "connectionStrings" <Path of the Folder containing the App.Config file>

Action – It notifies the action to be performed. In order to perform Decryption, the parameter value is -pdf.

Section Name – The name of the section of the App.Config file to be decrypted. For this case the value will be connectionStrings.

Path of the folder – Here we need to specify the path of the folder containing the App.Config file.

Example

aspnet_regiis.exe -pdf "connectionStrings" D:\Projects\MyTestApp

The following C# code desmonstrate how to encrypt the connectionString programmatically.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Configuration;

namespace MyApplciation
{
    static class Program
    {

        /// <summary>
        /// The main entry point for the application.
        /// </summary>
        static int Main(string[] args)
        {
            bool encrypt = false;
            foreach (string arg in args)
            {
                if (arg == "/encrypt")
                {
                 encrypt = true;
                  break;
                }
            }

            if (encrypt)
            {
              EncryptConnectionStrings();
                Console.Out.WriteLine( ".Config file ConnectionsStrings section encrypted");
            }
            else
            {
                //
                //
            }
            return 0;
        }

        static void EncryptConnectionStrings()
        {
            string appFullyQualifiedName = GetAppFullyQualifiedName();
            Configuration objConfig = ConfigurationManagetr. OpenExeConfiguration (appFullyQualifiedName);
            ConnectionStringsSection objAppsettings = (ConnectionStringsSection) objConfig.GetSection( "connectionStrings");
#if DEBUG
            // we don't encrypt the connection strings when it's a DEBUG build
#else
            if (!objAppsettings.SectionInformation. IsProtected)
            {
                objAppsettings.SectionInformation. ProtectSection( "RsaProtectedConfigurationProvider");
                objAppsettings.SectionInformation. ForceSave = true;
                objConfig.Save( ConfigurationSaveMode.Modified);
            }
#endif
        }
   }
}