It is very easy to encrypt the web.config file thanks to the .NET built-in tool aspnet_regiis.exe. We can run this tool in the command line, pass a few parameters and it will encrypt your web.config file.
We will be leveraging the .NET tool aspnet_regiis.exe which can be found in the directory C:\Windows\Microsoft.NET\Framework64\v4.0.30319, the Framework64 and v4.0.30.319 may differ depending on what machine and version of .NET you are running.
Here is the web.config file we will be encrypting:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<appSettings>
<add key="webpages:Version" value="2.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="PreserveLoginUrl" value="true" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="Key1" value="Value1" />
<add key="Key2" value="Value2" />
<add key="Key3" value="Value3" />
</appSettings>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
</entityFramework>
</configuration>
|
The format of the inputs are:
1
|
aspnet_regiis.exe {encryption/decryption} {section to be encrypted} {path of web.config}
|
-pef is to specify that you are encrypting the web.config file. You can also pass in an encryption provider -prov and specify the provider you want to use to encrypt, in my case I didn't provide any so the default (RsaProtectedConfigurationProvider) provider is used.
Note how you don't have to specify the actual web.config file in the path, it will automatically find the file (since there can only be one in one directory) and encrypt/decrypt it.
One error most people get and have difficult debugging is in the path they will end with \ ex. \"C:\Users\Documents\Visual Studio 2013\Projects\mvc4Proj\mvc4Proj\" this will give you and error saying \"Illegal characters in path. Failed!\"
Web.config file after encrypting:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>gZ6eJ3J88e8i83kpCiTJ9NvdqJjoPOJ4IVGy26TuI9ht6RFB14EBNpkHEbzExaH2ll2fTt2Pljy0eScewVDbQXuCrwdXI3gmqdulTXiI57LBXEHUMAOQjnJhNO8VzDl8UA8FsSGAK1eqpBs99o1OcLs9EmsLFcmxZfcmnK0Gb4E=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>NNdMCXZ3F1Z2epK666eIDdNmRz35kO/UeOX8LfdygraZD6/oroikU/dkGKzHJ+ZYUGGy2hndtA9TSfZyNzQFI1AmSwGyEvKKQPcqb/0T66rHzvEtoZz+MHdhxS2cabXH/MOpVLMRN6y7ne+Kbnh80QcelyxU57CpKdsOtzJEm3FbxsbHJlPcE0bVZ6aavcDhDW9O+MbdBtxaJ+2qbOdSgd6mB0HTRnmB7SjwnC3IxBP0o4p+lvaPxIKryBrOi/y5Pjt8QWFl6HUR7dWyuQvnCWhj30qaPf8MBiTm22XThKEHa5E2amrb5eZui2HEsQmG2gAfiWjaGf1WIlsfEBuM5NXdskarANdC4z4D59shO307evz/NkGob+SwwBSiCvLmKyrR1uEO9MuJ2zqY+j6umkJH4mTXAqYdOUpuUhXj8XvtBZHeyyx90zeycNYjHxCadpH0eoaJLZ3FBTq2G4hJvRspmWOEroMGbo6tfrqbBhpYBn6AFCUgLkY+9b4bNeV6c/YGjpCVZGQlGVvDWMuppX6eFewr1cjZgazfG6pOQArGOtuzXJB71g==</CipherValue>
</CipherData>
</EncryptedData>
</appSettings>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
</entityFramework>
</configuration>
|
You can see only the section which was specified was encrypted, entityFramework section is untouched.
For decryption the command is similar except change -pef to -pdf. If you are using specifying a specific provider while encrypting you don't have to specify it while decrypting.