How to encrypt a Web.config file - and enhance your security?
There are some good ways to encrypt your web.config file, and even some parts of the file may be encrypted.
The App Settings section of the web.config file is meant for saving key value pairs, information that is dependent on the system, bug independent of the application - useful for setting the configuration. Its the best place to keep Connection String settings, specially in scenarios where in there are multiple data sources involved.
There are scenarios where big time security freaks get immensely offended and apprehensive about the application's security, when configurational level settings are kept in a web.config file. After all, its eventually a flat file. Moreover, 80% of security flaws propagate from within the organization. They might contain invaluable information on credentials of any application. So here comes an method to secure a web.config file, by encrypting it.
Where does configuration take place in the web.config file?
In C# code behind, create a Configuration object, as shown below:
System.Configuration.Configuration configFile = default System.Configuration.Configuration);
ConfigurationSection configSection = default(ConfigurationSection);
configFile = System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
configSection = configFile.Sections("connectionStrings");
The assumption this code takes is that the page is running, and it will take the ApplicationPath property on the Request object to resolve to the physical path to the web.config's folder. In case a utility is to be created, the path needs to be hard coded and then passed to the OpenWebConfiguration method.
After creating a section, this may be encrypted, by specifying the encryption scheme. Eventually, the encrypted version is saved back to the config file:
configSection.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
configFile.Save();
The following is the eventual outcome in the web.config file:
<connectionStrings
configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>...Encrypted Data... </CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
The ConfigurationManager object's ConnectionString collection automatically decrypts this setting, during the reading phase. It also tracks whether the web.config is encrypted or not. Wow!
string cnStr = null;
cnStr = System.Web.Configuration.WebConfigurationManager.ConnectionStrings("Northwind").ConnectionString;
The private key resides on the web server. As the strings are encrypted using the private key for the Web server, in a scenario where the file is stolen from the site, it can't be decrypted on any system other than the Web server. This also means that it won't be possible to encrypt the connection string until the application has been moved to the production server: If the connection string is encrypted on the test server, ASP.NET won't be able to decrypt the string using the production server's private key. Another wow!
Sometimes, there might be a scenario you will need to decrypt the web.config, the following code may be used:
System.Configuration.Configuration configFile = default(System.Configuration.Configuration);
ConfigurationSection configSection = default(ConfigurationSection);
configFile = System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
configSection = configFile.Sections("connectionStrings");
configSection.SectionInformation.UnProtectSection();
configFile.Save();
Happy Programming!