Encrypting Passwords and Keys in web.config

by Anton 19. April 2014 19:18

We wanted to encrypt our passwords which we store in the web.config of our Webapplication. Most of the WorldWideweb pointed to the use of aspnet_regiis.exe: http://msdn.microsoft.com/en-us/library/53tyfkaw(v=vs.100).aspx We want to use the encrypted web.config on a few machines, so we need to import the decryption keys on those machines.

I pretty much used the walkthrough provided by Microsoft.

  1. Ceate a custom RSA key container: aspnet_regiis -pc "CampingInfo" –exp
  2. Grant the application access to the keys: aspnet_regiis -pa "CampingInfo" "NT AUTHORITY\NETWORK SERVICE". The ASP.NET identity can be found via creating and calling a page “Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);”
  3. Add a configuration provider to the web.config:
  4. <configuration>
    <configProtectedData>
    <providers>
    <add name="CampingInfoProvider"
    type="System.Configuration.RsaProtectedConfigurationProvider"
    keyContainerName="CampingInfo"
    useMachineContainer="true" />
    </providers>
    </configProtectedData>
    ...
    </configuration>

  5. Put the to be encrypted settings in a custom section in the web.config:
    <configuration>
    <configSections>
    <section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler" />
    </configSections>
    <secureAppSettings>
    <add key="somepassword" value="xyz" />
    </secureAppSettings>
    ...
    </configuration>

  6. Encrypt the custom section: aspnet_regiis -pef "secureAppSettings" "C:\<path to dirctory where web.config resides>" -prov "CampingInfo"
  7. Export the RSA key container: aspnet_regiis -px "CampingInfo" "c:\keys.xml" -pri
  8. Copy the xml file to a second server which runs the same application (with the same, now partially encrypted web.config).
  9. Import the RSA key container on the second server: aspnet_regiis -pi "CampingInfo" "c:\keys.xml"
  10. Grant the application on the second server access to the keys as in 2. (Identity may be different.)

enjoyed the post?

Tags:

Comments (1) -

Rick Putnam
Rick Putnam United States
4/28/2016 10:30:38 PM #

Good article for which I am appreciative. However, I found that the argument for -prov in step 6 should be "CampingInfoProvider" rather than "CampingInfo".

Cheers.

Reply

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

About Oliver

shades-of-orange.com code blog logo I build web applications using ASP.NET and have a passion for javascript. Enjoy MVC 4 and Orchard CMS, and I do TDD whenever I can. I like clean code. Love to spend time with my wife and our children. My profile on Stack Exchange, a network of free, community-driven Q&A sites

About Anton

shades-of-orange.com code blog logo I'm a software developer at teamaton. I code in C# and work with MVC, Orchard, SpecFlow, Coypu and NHibernate. I enjoy beach volleyball, board games and Coke.