Encrypt Sections Of Web.Config File in ASP.NET 2.0

1) why the need of Encryption in Web.Config File?

We know that Web.Config file hold sensitive information like (Database server name , user name,password ect). In any database related application the database is more important.  if you do not protect database related information from malicious user or hacker sometime it create a danger situation for anyone.

below are the sections which hold the sensitive data.

1) appSettings

2) connectionStrings

3) SessionState

In dotnet Framework 2.0 introduced a protected configuration feature that allows you to encrypt sensitive data. you can configure file data using command line tool.which is describe below in detail.

There are two protected configuration providers are included.

1) RSAProtectedConfigurationProvider (default)

2) DataProtectionConfigurationProvider (Data Protection application programming interface)

  • Encrypt the connectionStrings section in Web.config

Steps :

1) create web application using (asp.net with c#).

2) Add the web.config file in your created application. add connection string in the web.config file.

   1: <connectionStrings>
   2:     <add name="mycon" connectionString="Data Source=.\sqlexpress;Initial Catalog=tempdb;uid=sa;pwd:sa007"/>
   3:   </connectionStrings>


   1: <connectionStrings>
   2:    <add name="mycon" connectionString="Data Source=.\sqlexpress;Initial Catalog=tempdb;Integrated Security=True"/>
   3:  </connectionStrings>

3) now here is the two possibility either you use the VS.net 2005 or Configure application as virtual Directory.

case 1 (configured application as virtual directory)

aspnet_regiis -pe “connectionStrings” -app “/Your Application Name” -prov “DataProtectionConfigurationProvider”

case 2 VS.net 2005

aspnet_regiis.exe -pef “connectionStrings” YOUR Application Path –prov “DataProtectionConfigurationProvider”

Description : aspnet_regiis.exe (%windir%\Microsoft.Net\Framework\ Dotnet Version)
Options :
1) -pe : switch specifies the configuration section to encrypt.
2) -pef : physical path for your configuration file
3) -app your web application's virtual path.
4) -prov provider name
4) run above code result will be.
5) check the web.config file.
   1:    <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
   2:      <EncryptedData>
   3:        <CipherData>
   4:          <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAjADWCXozG0u/o7BY2jzY0gQAAAACAAAAAAADZgAAqAAAABAAAADW4TyTJUuqAbIF+Hj1hlQ6AAAAAASAAACgAAAAEAAAALatNmZNNiKQeIdh/ns863VAAQAA5e6qwI4+JVZB/bL5xmHOLyewcO9pp2sc8vtcDT4ZNwK+oHDq//zsfL+cf6FDlgv++bJcXETNPl8TQ4fEqYaP8pHrim3QkFCf59B3q3tAKR9bvXvNJaUmCixcKQopPPwDH5lvmsXawT6gxNpSDqMz+4vBGN63U1oXCRn2dUpC9DxesEhgh4X5uZuCBSxjvsQM2G97mIwbFUPh8LwTSRoeiPdVz8oycnZQiO7AKpNmshpnOvjTIMQYArQyFR1IQA8DTE7qWf95Ciqapa+Kq7NInVNc/5cuYaP0+0jJBPYUw/mWpRYKD1KAUdRPpdQO6QSbVC/lK/m2Vb7OPL78M/gT07TIKTKleIjaN90wgDVaETW06o5hcSNbTZb6OudrZAw+0/uFZbxxKFQZpK5WAKl68IJzfO0YSi67EDeGPyPXCQcUAAAA26tsHR9708+5EFpzAjeFgAnHBNQ=</CipherValue>
   5:        </CipherData>
   6:      </EncryptedData>
   7:    </connectionStrings>
6) in the your page (default.aspx) put below code
Response.Write("Connection String Is " +ConfigurationManager.ConnectionStrings["mycon"].ConnectionString);
7) Run Application Check Result

i hope that above code is worked. now if you want to change connection string then what to do?
steps :

case 1 (configured application as virtual directory)

   aspnet_regiis -pd "connectionStrings" -app "Your Application Name"

case 2 VS.net 2005

   aspnet_regiis -pdf "connectionStrings" Your Application Path
2) Result of Executed code
3) check the web.config file.


One comment

  1. khaled Eltaweel · · Reply

    thanks alot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s