Simple web.config encryption
Building an ASP.NET website is becoming easier with each new release of the .NET framework, but as the learning curve flattens and more and more developers create forward-facing sites, security concerns need to be considered. One of the easiest new methods of ensuring that confidential information remains secure is to encrypt sensitive sections of your web.config file.
Encrypting this information has never been easier, and should be included in the site's deployment task list, or incorporated as a custom task within the deployment files. You can take advantage of the power of the aspnet_regiis utilty to handle this task post-deployment:
Open up your Visual Studio 2005 command propmt tool, and run the following command:
aspnet_regiis -pe "connectionStrings" -app "/clarity" -prov "DataProtectionConfigurationProvider"
Let's take a quick look at the parameters we entered:
-pe: the encryption argument to aspnet_regiis utility
"connectionStrings": specifies the subsection of the web.config to encrypt
-app "/clarity": the encryption should occur at this virtual path
-prov "DataProtectionConfigurationProvider": determines the type of encryption to perform. Use DataProtectionConfigurationProvider to apply encryption via the Windows DPAPI. I find this is easier to use for basic encryption. This method will generate the decryption key and place it in the Local Security Authority.
The default encryption type is "RSAProtectedConfigurationProvider" uses the .NET Framework's RSACryptoServiceProvider class' public key algorithm.
Once you've encrypted your web.config sections, you're set. The beauty of this is that you as a developer need not do anything to your code to decrypt this information. Any component that requires access to an encrypted section will automagically decrypt this information.
In the event you would like to decrypt the section for modification or testing, simply run this command:
aspnet_regiis -pd "connectionStrings" -app "/clarity"
Notice that -pe has changed to -pd, which notifies the utility that the section should be decrypted.
Keep in mind this is ONE of the many things developers and net admins should be concerned with when deploying a web site to production. If your server isn't secure, these precautions won't mean much. But taking these steps is an important piece of the security puzzle.