Encrypting and Decrypting Configuration File
 
Published: 21 Mar 2007
Abstract
This article exposes the powerful feature of ASP.Net 2.0 that encrypts and decrypts all the configuration sections of configuration file.
by Uday Denduluri
Feedback
Average Rating: 
Views (Total / Last 10 Days): 27663/ 88

Introduction

Configuration file is a well formed XML file that would have all the settings of the application (both Windows and Web). For Web Application the configuration file is web.config and for windows application the configuration file is App.config. The file can be in ANSI, UTF-8, or Unicode. The system automatically detects the encoding. The root element of the Web.Config is always <configuration> tag. The section for the configuration file looks like the listing defined below.

Listing 1

<configuration>
<!-- All Configuration settings to be here-->
</configuration>
Why encryption for Configuration?

It is very necessary that the configuration files need to be encrypted. This encryption enables the security for configuration files. Hence, they cannot be read by any text editor. The configuration files may have crucial information which should be protected. It may contain simple User credentials or database information access information like Server name, Database Name, User ID and Password. Protected configuration enables us to encrypt sections of an ASP.NET application's Web.config file in order to protect sensitive information used by the application.

This can improve the security of our application by making it difficult for an attacker to gain access to the sensitive information even if an attacker gains access to your Web.config file. ASP.NET includes two protected configuration providers that can be used to encrypt sections of a Web.config file: RSAProtectedConfigurationProvider, which uses the RSACryptoServiceProvider to encrypt configuration sections, and DPAPIProtectedConfigurationProvider, which uses the Windows Data Protection API (DPAPI) to encrypt configuration sections.

A powerful feature has been introduced in ASP.NET 2.0 where the configuration file can be encrypted. Almost all the sections can be encrypted including the user defined sections. Some of the sections like <HttpRuntime> cannot be encrypted. These sections are accessed from IIS and should not be encrypted.

Encrypting the Configuration File

Encrypting the configuration file has been illustrated in form of a simple method Encrypt. The code below assumes that user is well versed with programming of C# in ASP.NET. The code below explains how AppSettings section in Web.Config can be encrypted.

Listing 2

private void Encrypt()
{
//Name of the provider declared as string variable
const string PROVIDER = "DataProtectionConfigurationProvider";
 
// Open the Configuration file
Configuration ObjConfiguration =
 WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
 
// Open a section in the configuration file
AppSettingsSection ObjAppSettingsSection = ObjConfiguration.AppSettings;
 
// Encryption is done here
ObjAppSettingsSection.SectionInformation.ProtectSection(PROVIDER);
// Save the changes back to the configuration file
ObjConfiguration.Save();
 
// Reading the values after encryption and displaying the same
Response.Write(ConfigurationManager.AppSettings["Key"].ToString());        
}

Let us understand the code in Listing 1 step by step. We have a simple Encrypt method that does not have any parameters. It encrypts the appsettings section of web.config.

Listing 3

//Name of the provider declared as string variable
const string PROVIDER = "DataProtectionConfigurationProvider";

As shown in Listing 3 we have defined a constant provider. This is a custom protection provider. In some cases, we might need to encrypt information using an algorithm other than those available with the RSA or DPAPI providers. In that case, we can build a custom protected configuration provider to be used by ASP.NET. Here, the Provider defined is a custom protection provider. Developing the custom provider and extending the same is out of the scope for this section. We would be limited to only using the custom provider.

Listing 4

// Open the Configuration file
Configuration ObjConfiguration =
 WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
 
// Open a section in the configuration file
AppSettingsSection ObjAppSettingsSection = ObjConfiguration.AppSettings;

As shown in Listing 4, the configuration file is opened and read into the Configuration class and the appropriate section is read into AppSettingsSection class. [In this case it is AppSettings section.]

Listing 5

// Encryption is done here
ObjAppSettingsSection.SectionInformation.ProtectSection(PROVIDER);

As shown in listing 5 the AppSettings section gets encrypted.

Listing 6

<appSettings>
<add key="Key" value="Value"/>
</appSettings>

Listing 6 shows the AppSettings section before encryption.

Listing 7

<appSettings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>
        <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAvylHl+xPbE6
+vxGaIAr8OAQAAAACAAAAAAADZgAAqAAAABAAAAAUFpW88UBS/
QkWUOOFRdfRAAAAAASAAACgAAAAEAAAAAZ
NAa75GGiUzSMVh52mIgGIAAAAE7uQVThUA5sI4fA1C+FBWwS2H8N/c6K4KHAqz5Dqw7at2kx+
t0EXzDRAx1s1Bwmll4M7z0pwuTFGH5bZPJHGXTDqEaiHPRpaFSoyCAQ
3RCyXj6LnbxgZagBQNMU0elohTjLksNY8JdGpnrmL12Ncw
s9P5PKpA6MnPSv3H3yzG3xua17Fjn/nQRQAAACjJt5sQ5kreKEPBBPyLLnfR1RaVw==</CipherValue>
      </CipherData>
    </EncryptedData>
</appSettings>

 

Listing 7 shows the AppSettings section after encryption.

Decrypting the Encrypted Configuration file

Decrypting a configuration file can be done with the help of the method shown below, Decrypt. The Decrypt method simply checks if the configuration section is encrypted. If it is encrypted then it decrypts the same. The same is shown in listing 8. The code below assumes that the reader is well versed with programming in C#. Some of the classes are new in .NET Framework 2.0

Listing 8

private void Decrypt()
{
// Open the Configuration file
Configuration ObjConfiguration =
 WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
 
// Open a section in the configuration file
AppSettingsSection ObjAppSettingsSection = ObjConfiguration.AppSettings;
 
// Checking if the section information is protected
if (ObjAppSettingsSection.SectionInformation.IsProtected)
{
// Decrypt the section
               ObjAppSettingsSection.SectionInformation.UnprotectSection();
 
//Save the changes after decryption
ObjConfiguration.Save();
}
// Reading the values after De-crypting configuration file
            Response.Write(ConfigurationManager.AppSettings["Key"].ToString());
}

 

Decrypting the configuration file involves loading the configuration file in the Configuration object. Reading the section for which the encryption is done, check that the section is protected. If it is protected then unprotect the section. The changes done to the configuration need to be persisted back to the configuration file. Therefore, save the changes.

Listing 9

// Checking if the section information is protected
if (ObjAppSettingsSection.SectionInformation.IsProtected)
{
// Decrypt the section
               ObjAppSettingsSection.SectionInformation.UnprotectSection();
 
//Save the changes after decryption
ObjConfiguration.Save();
}

Listing 9 has the code in C# where the section information is checked for protection. This is done by the IsProtected method of SectionInformation class. If it returns true then the SectionInformation’s method UnprotectSection is called. This method simply decrypts the configuration and changes the configuration to its previous state. Once the changes are done then the Configuration is saved back to the configuration.

Conclusion

Encrypting and decrypting a configuration file is a powerful feature of ASP.NET 2.0. The encryption data is useful especially when we are dealing with sensitive data like username and password within web applications. Although ASP.NET configures IIS to prevent browser accessing web.config files, it is not a good practice to leave the configuration files in plain text.

Even if the configuration section is encrypted, the data can be read by configuration API. This means that the configuration values are impossible to read through a text editor. To programmatically set a configuration section to be encrypted we can call the ConfigurationSection.SectionInformation property to get section information object. To decrypt the encrypted section we call the method UnprotectSection() of SectionInformation class. The examples shown above support the same.

The programmer has to ensure that ASP.NET worker process account has enough privileges to modify the web.config file of the application.



User Comments

Title: Good one..   
Name: Gourik Kumar Bora
Date: 2009-03-04 1:03:41 AM
Comment:
Hi,
Its really good .can you please tell me how can i ensure that asp.net worker process will modify the web.config.
thanks in advance
Gourik
Title: Encrypting and decrypting a configuration file   
Name: Nitin Dixit
Date: 2007-07-26 3:46:41 AM
Comment:
Dear Uday,
How can i use my configuration after encryption?
Means lets suppose we have a connectionstring of my application and i encrypt that particular config section.
Now in my code behind how can i use it??????

thanks & Regards
Nitin Dixit






Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2019 ASPAlliance.com  |  Page Processed at 2019-09-19 3:33:10 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search