How to encrypt ASP. NET configuration data []

I have discussed how to apply ASP. the configuration file in. NET 2.0 and explains how to process the configuration file. Now, I will describe how to use encryption to protect data stored in the configuration file and describe ASP. NET 2.0.

I will first summarize the encryption options and then continue to describe the actual encryption process of the data values in the configuration file.

Protected Configuration

ASP. NET 2.0 introduces a protected configuration (protected configuration) feature that allows you to use data encryption API (DPAPI) or RSA encryption on the machine. config and web. the config file is encrypted. Developers always want this type of feature to protect sensitive data such as connection strings and account certificates.

This feature allows developers to encrypt one or several parts of the configuration file. The following table lists some data that can be encrypted:

• AppSettings: Define and store custom application values.
• ConnectionStrings: Access external data sources through database connection strings.
• Identity: Contains the Web application identity, which may include a simulated certificate.
• SessionState: Configure session Status settings for the current application.

You cannot use the protected Configuration feature to configure the following parts of the web. config and machine. config files:

• ProcessMode
• Runtime
• Mscorlib
• Startup
• System. runtime. remoting
• ConfigProtectedData
• Satelliteassemblies
• CryptographySettings
• CryptoNameMapping
• CryptoClasses

. NET Framework provides two methods to encrypt the configuration file: aspnet_regiis.exe command line utility and developer application code encryption. This document describes how to encrypt a command line.

ASP. net iis registration tool

ASP. NET iisregistration tool (aspnet_regiis.exe) is a standard component of the. NET Framework. It allows you to update the script ing of an ASP. NET application to point to the tool-related ASP. net isapi version, because several ASP. NET versions may exist in a system. You can also use this tool to display the status of all installed ASP. NET versions, register the ASP. NET version associated with the tool, create the client-script directory, and perform other configuration operations.

This tool contains a large number of command line options, including encryption and decryption (pdf ). You can use /? Option for help. The encryption option uses DPAPI to encrypt data. Next I willListAThe web. config file in is described as follows:

List

<? Xml version = "1.0"?>

<Configuration>

<Deleetask>

<Add key = "site" value = "TechRepublic.com"/>

</AppSettings>

<ConnectionStrings>

<Add name = "db" connectionString = "connection details"/>

</ConnectionStrings>

<System. web>

<Compilation debug = "true"/>

<Authentication mode = "Windows"/>

<Authorization>

<Allow users = "tester"/>

</Authorization>

<CustomErrors mode = "RemoteOnly" defaultRedirect = "GenericErrorPage.htm">

<Error statusCode = "403" redirect = "NoAccess.htm"/>

<Error statusCode = "404" redirect = "FileNotFound.htm"/>

</CustomErrors>

</System. web>

</Configuration>

With this file, I can use the following command line to encrypt the connectionStrings part of the configuration file:

Aspnet_regiis-Arg "connectionStrings" c: inetpubwwwroottrconfig"

The structure of the above command is very simple, as described in the following table:

• Aspnet_regiis: ASP. net iis registration tool.
• -Ped: Encrypt the command line option in the configuration section of a configuration file.
• "ConnectionStrings": The name of the encrypted part.
• "C: inetpubwwwroottrconfig": The physical address of the local website.

After completion, you will receive a message of success or failure. For example,ListBContains the web onstrings part of the encrypted web. config file. (If you want to copy and paste the code, here is the link of List B .)

<? Xml version = "1.0"?>

<Configuration xmlns = "http://schemas.microsoft.com/.netconfiguration/v2.0">

<Deleetask>

<Add key = "site" value = "TechRepublic.com"/>

</AppSettings>

<ConnectionStrings configProtectionProvider = "RsaProtectedConfigurationProvider">

<EncryptedData Type = http://www.w3.org/2001/04/xmlenc#Element

Xmlns = "http://www.w3.org/2001/04/xmlenc#">

<EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc?tripledes-cbc”/>

<KeyInfo xmlns = "http://www.w3.org/2000/09/xmldsig#">

<EncryptedKey xmlns = "http://www.w3.org/2001/04/xmlenc#">

<EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc?rsa-1_5"/>

<KeyInfo xmlns = "http://www.w3.org/2000/09/xmldsig#">

<KeyName> Rsa Key </KeyName>

</KeyInfo>

<CipherData>

<CipherValue> hlcvZ + Principal + l6FwwEQYj7GfulTO + I3rWLkG7E44Sqzv75VG9QIU7oBH0d + jXo = </CipherValue>

</CipherData>

</EncryptedKey>

</KeyInfo>

<CipherData>

<CipherValue> oEe1fu5aiY0AtsgovXG7TVdxSZw8FU1w18LhdSmL5pptKtOnSYIZ6gVzm9B5/n4t5PWsn7BqGmd535JPe4G + signature ==</CipherValue>

</CipherData>

</EncryptedData>

</ConnectionStrings>

<System. web>

<Compilation debug = "true" defaultLanguage = "c #"/>

<Authentication mode = "None"/>

<Authorization>

<Allow users = "tester"/>

</Authorization>

<CustomErrors mode = "RemoteOnly" defaultredirect?genericerrorpage.htm ">

<Error statusCode = "403" redirectdomaindetail noaccess.htm "/>

<Error statusCode = "404" redirectappsappsfilenotfound.htm "/>

</CustomErrors>

</System. web>

</Configuration>

The other part of the file remains unchanged, but you can also choose to encrypt the other part. For example, you can encrypt the ettings part of the instance file to block its data so as not to be peat by others.

If you use an encrypted file, you need to decrypt it and use the command line to easily decrypt it. The following command line decrypts the encryption process of some applications in the connectionStrings section of the web. config file.

Aspnet_regiis-pdf "connectionStrings" c: inetpubwwwroottrconfig"

This command returns the encrypted file to the plaintext version, so you can modify it and re-encrypt it after editing.