Encrypting an entire section of a configuration file is a simple
task with the .NET 2.0 configuration API. There are many configuration areas
where sensitive and secret information may appear; for example, we can put
database usernames and passwords in the <connectionStrings>, when we need
the runtime to impersonate a fixed identity we often keep a username and
password in the <identity> section. Whenever secrets like these appear,
we should consider encrypting the section instead of leaving the secrets and
sensitive information in plain text.
It should be noted that the following sections can not be
encrypted using protected configuration:
<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
We have to use the Aspnet_setreg.exe tool if we want to
encrypt the abovementioned section. This tool we can find under the ASP.NET
installation path. It is really easy to protect (encrypt) and unprotect
(decrypt) an entire configuration section. We do not need to decrypt a section
in order to read configuration settings from the section. The runtime will read
the encrypted data and perform the decryption necessary for our application to
read the plain text values. In the following code listing we will see how we
can encrypt a section data and decrypt the same using WebConfigurationManager -
related classes.
Listing 4
<appSettings>
<add key="Confidentialkey" value="sanjit9999900000000" />
</appSettings>
To illustrate the encrypt and decrypt data in section two
buttons namely btnEncrypt and btnDecrypt are added in a test page:
Listing 5
protected void btnEncrypt_Click(object sender, EventArgs e)
{
Encrypt("appSettings",
"DataProtectionConfigurationProvider");
}
protected void btnDecrypt_Click(object sender, EventArgs e)
{
Decrypt("appSettings");
}
private void Encrypt(string sectionName,
string provider)
{
Configuration config =
WebConfigurationManager.
OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section =
config.GetSection(sectionName);
if (section != null &&
!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection(provider);
config.Save();
}
}
private void Decrypt(string sectionName)
{
Configuration config =
WebConfigurationManager.
OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section =
config.GetSection(sectionName);
if (section != null &&
section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
config.Save();
}
}So there is two buttons which are showing how to encrypt and
decrypt section data on fly.
In the following code listing we can see how the application
setting data looks like after encryption.
Listing 6
<appSettings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA73ohmg84YUKbVjbcXs6jCQQAAAACAAAAAAADZ
gAAqAAAABAAAAD6QbBeUN2Ri0Rjc+jxzF/bAAAAAASAAACgAAAAEAAAAAKUxQ1g3ZGpRK0PVCmG717AAAA
Aj7x96pMed9vhi7reOt765j6u/0rxcA3GW8XWT8M5ejtW9zuNMI4K0Hx+2IU/1Q9ZY1tSn+nv1WWCUsAr2
w0be1CCY5aWBFe/QQssnpUTrRVAPa+W7VyTQ+HJDWiH1NKuu63OLpmEqBCXe4EUJC42UaGHUV5bCKYaSgM
XeP+QKjR46AkOLmMod8SxrA2moOvIbIRIduufv0d5eRKj0AgSFLtOPECj7NeRfXce/FqLelQno0ZSSQ0xd
yGnq07O6YbHFAAAACPjEY/EbhvBAwnuR/yG/2p7In1w</CipherValue>
</CipherData>
</EncryptedData>
</appSettings>
Listing 7
<connectionStrings>
<add name="pubs"
connectionString="localhost;integrated security=true;database=pubs;" />
</connectionStrings>
The above code listing is showing connectionStrings related
data before encryption.
In the following code listing we can see how
connectionStrings related data looks like after encryption. We can notice that
the configuration API has added some additional information and the section
contains a cipher Value instead of plain text connection strings
Listing 8
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA73ohmg84YUKbVjbcXs6jCQQAAAACAAAAAAADZ
gAAqAAAABAAAAAwxh6BaZAyLKa8vBjTomZkAAAAAASAAACgAAAAEAAAAFRvsDBGI7d90o/cWOUoGPAQAQA
AeCkgDXGISNyrSJfVCWz+t7WU9lf1gkupFRFJYfebeEIzjfTHQ/MC6SD75t0qgrE89LbHpDgstfMxpxUSn
QZ1ep9V5ZmoLOwf+DyBeIlsIb5hw4k8MQwORuSXABtO5xfDTJEd/kaFtIFnzfAjx/nbGXx2HNu5YzXkQ7V
5BaK44Jd3R44jTl8dqMcWLZsUdKj4dy/PiXLr+qCfpkKUeGZKnSAPwjoFZ8a6BKs0rAhNWl6k6Pev+/tuL
cyOlYZhJ7CXLgKGq4dEM4e8bYs7EwJMvKR/GbHmhkoFSQKu1orQI/Sv6c0Anyggy/riaRRb6N2nksa2mO4
OMdZfI5z/uh5HA0JxZSQ+P7G8BeuGKoPfiL0UAAAAVZyDYYrci5shlEyvRHo0IIRxMtI=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
It should be noted that we cannot tell anything about the
encrypted data, including the number of settings, the key names of settings, or
their data types.
