Web. config file encryption

In general, we need to encrypt some sensitive information in the web. config file. Encryption is usually considered for the following nodes. In addition, many nodes are usually not encrypted, or even cannot be encrypted:

1) <deleetask> generally contains custom information.
2) <connectionstrings> This is familiar to everyone and contains the strings used to connect to the database.
3) <identity> contains the account information when impersonate is used.
4) <sessionstate> contains the connection string that places the session outside the process.

What do we usually want to use when it comes to encryption?AlgorithmEncryption, how to encrypt. First, ASP. NET provides two encryption methods: dpapi and RSA. We can choose one of the methods to encrypt our web. config. For the second question, we have two methods in the same way. Use the aspnet_regiis.exe tool orProgramChina siteCodeEncryption.

First, let's talk about some commands that use aspnet_regiis.exe to encrypt. Open the command line window of Visual Studio, and then enter aspnet_regiis /?, We can view some help information about aspnet_regiis. In this example, we use dpapi to encrypt connectionstrings. The website is in the sample1 virtual directory of IIS:

Aspnet_regiis-pe "connectionstrings"-app "/sample1"-prov "dataprotectionconfigurationprovider"

If we haven't used publish to IIS for our website, we can use the following command to encrypt-provide the absolute path of Website:

Aspnet_regiis-FFE "connectionstrings" C: \ projects \ sample1-prov "dataprotectionconfigurationprovider"

This simple encryption is complete. When obtaining the encrypted information, we can use the following code to automatically decrypt the information:

String connstr = configurationmanager. connectionstrings ["test"]. connectionstring;

If you want to change the encrypted node back to the original state, you can use the-Pd parameter:

Aspnet_regiis-Pd "connectionstrings"-app "/sample1"

 

Similarly, we can use the program for encryption and decryption.

Encryption:

Code
// Get the current configuration file.
Configuration config = Webconfigurationmanager. openwebconfiguration (request. applicationpath );

//Get the section.
Configurationsection appsec=Config. getsection ("Appsettings");

If (appsec ! = null & ! appsec. sectioninformation. isprotected)
{
// protect (encrypt) the section.
appsec. sectioninformation. protectsection ( " dataprotectionconfigurationprovider " );

//Save the encrypted section.
Appsec. sectioninformation. forcesave= True;
Config. Save ();
}

Decryption:

Code
Configuration config = Webconfigurationmanager. openwebconfiguration (request. applicationpath );

Configurationsection Section=Config. getsection ("Appsettings");

If(Section! = Null &&Section. sectioninformation. isprotected)
{
Section. sectioninformation. unprotectsection ();
Config. Save ();
}

 

However, when you move the encrypted website to another IIS, it cannot be decrypted because the Encrypted Key is stored on the local machine. In this case, you need to re-use aspnet_regiis on another server for encryption.

RSA and dpapi are a bit different. Dpapi keys are difficult to export, while Ras keys are easy to export. This indicates that RSA can be used locally for encryption, and this key can be exported and installed on the server for decryption.

Have a nice day!