aspnet2securityfaq0078

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to
HomePage
ASPNET2SecurityFAQs


Question: How Do I secure sensitive data in configuration files?


Answer:

In ASP.NET 2.0, use the Aspnet_regiis.exe tool with the -pe (provider encryption) option to encrypt sections of Machine.config and Web.config files.

To encrypt a configuration section for example <connectionStrings> section using the DPAPI provider, storing the encryption key in the machine store (the default configuration) run the following command from a command window:

		 aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" 
		               -prov "DataProtectionConfigurationProvider"

* -pe: specifies the configuration section to encrypt.
* -app: specifies your Web application's virtual path. If it’s a nested application, you need to specify the nested path from the root directory, for example “/test/aspnet/MachineDPAPI”
* prov: specifies the provider name.

The .NET Framework 2.0 SDK provides two different Protected Configuration providers, which you use with the aspnet_regiis.exe tool:
* RSAProtectedConfigurationProvider. This is the default provider and uses the RSA public key encryption to encrypt and decrypt data. Use this provider to encrypt configuration files for use on multiple Windows Servers in a Web farm.
* DPAPIProtectedConfigurationProvider. This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data. Use this provider to encrypt configuration files for use on a single Windows Server.

The following sections often contain sensitive information that you need to encrypt:
* <appSettings>. Custom application settings.
* <connectionStrings>. Connection strings.
* <identity>. Web application identity. Can contain impersonation credentials.
* <sessionState>. Contains connection string for out of process session provider.

You so not need any special steps for decryption, as the ASP.NET runtime takes care of this for you.
You cannot use the Aspnet_regiis.exe tool and protected configuration to encrypt the following sections in Web.config and Machine.config:

		 <processModel>, <runtime>, <mscorlib>, <startup>, 
		 <system.runtime.remoting>, <protectedData>, <satelliteassemblies>, 
		 [<cryptographySettings>,<cryptoNameMapping>,] and <cryptoClasses>.

For these sections, use the Aspnet_setreg.exe tool. You can also use this tool with ASP.NET 1.1. For more information on AspNet-setreg.exe, see Microsoft Knowledge Base article 329290, "How to use the ASP.NET utility to encrypt credentials and session state connection strings" at http://support.microsoft.com/default.aspx?scid=kb;en-us;329290.

More Information

For more information on encrypting configuration section, see “How To; Encrypt Configuration Sections Using DPAPI” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000005.asp and “How TO: Encrypt Configuration Sections Using RSA” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000006.asp


Return to
HomePage
ASPNET2SecurityFAQs
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities