Comment Feed for Encrypting your web.config file with ASP 2.0 (Visual Studio 2005) (RobertShelton on Channel 9)

Re: Encrypting your web.config file with ASP 2.0 (Visual Studio 2005)

cloak13PLAGUE — Wed, 27 Jun 2007 19:56:16 GMT

Thanks very much for the demo. I would like to hit on the question that the one user earlier asked. I think what the user was asking is if some how some one were able to retrieve that web config file could they take it to another machine and run the decrypt on it and get the information out of the file?

For example, Johnny Cracker steals the web.config file from my site some how. Could they run -pd on their home IIS 6 server and decrypt the file exposing the information we are trying to hide?

Another possible scenario is that I have a web farm. If server A which I encrypted the file on dies can I decrypt the file on server B?

Just curious,
Thanks again for posting!

Tim Kulp

Re: Encrypting your web.config file with ASP 2.0 (Visual Studio 2005)

ronb1191 — Mon, 12 Mar 2007 18:28:51 GMT

I have tried this command with failed results:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" "C:\MyFolder\EncryptionDemo" –prov "DataProtectionConfigurationProvider"

All I got after attempting to run this command from a windows cmd prompt was the aspnet_regiis help screen. What am I missing? I have even ensured my web.config file is not read only and that the aspnet user has full control on the security permissions. Please help. Thanks you.

Sincerely,

Ron Breeding :(

Re: Encrypting your web.config file with ASP 2.0 (Visual Studio 2005)

mgambill — Tue, 25 Jul 2006 21:09:34 GMT

Very informative. However, what the significance of the "configProtectionProvider" attribute not being defined and the error associated with the "EncryptedData" tag in your Screencast. Should they just be ignored?

Re: Encrypting your web.config file with ASP 2.0 (Visual Studio 2005)

jrs — Wed, 31 May 2006 07:10:26 GMT

This was a nice demo Robert.

I'm curous it you have to encrypt the config files for every separate installation of the webapp (like you did in the video). I guess the encryption/decryption depends on some machine specific key.

How about web application farms. Is there a way to encrypt the config file once and deploy the decrypted version to all instances in the farm?

Regards,

Johan Sundström

Re: Encrypting your web.config file with ASP 2.0 (Visual Studio 2005)

Robert Shelton, Jr. — Fri, 03 Feb 2006 15:59:38 GMT

I'm not sure if I fully understand your question, but I would say this: Since the Web.config is a server-based file, the user shouldn't see anything in the way of errors. In fact, what you have to do, is when you get to the server(s) that you are going to run the web application on, you would encrypt the file at that server(s), so that the key was stored on that server.

I hope that this is clearer,

Robert

Re: Encrypting your web.config file with ASP 2.0 (Visual Studio 2005)

Luciano Evaristo Guerche — Thu, 19 Jan 2006 19:55:24 GMT

Dear Robert Shelton, Jr.,

If I encrypt a web.config file using aspnet_regiis.exe with -pe or -pef option, get encrypted web.config file and take it to another machine, run aspnet_regiis.exe with -pd or -pdf option, what do I get? A plain file or an error? Do the encryption algorithm uses the PKI or any salt to encrypt so that if you exchange windows accounts or machine, the user does not get to the plain file?