How to Encrypt web.config Section (C#, ASP.NET)

Security is important aspect when deploying ASP.NET applications to production environments. Security officers might ask you about the protection of username and passwords that we usually store in web.config file. In one of mine recent projects that I did for a client, I had to run my web service under different user account (user impersonation). This was achieved by adding user credentials into web.config file:
<identity impersonate="true" 
  password="********" />

It is considered a bad practice to write user credentials as plain text, so I needed to find a way to encrypt identity part of the web.config file. You can apply this routine also to protect your connection strings in web.config that (many times) stays unprotected.

Protecting sensitive parts of web.config is a two steps process.
1. Create a new key pair for the user account under which application will run. This routine creates a new key and assigns ACL access for the user.
C:> C:\inetpub\wwwroot\ws_issue>c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pa "NetFrameworkConfigurationKey" "svc-enroll"

2. Encrypt section of web.config with the key you have created in previous step.
c:> C:\inetpub\wwwroot\ws_issue>c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pe "system.web/identity" -app "/ws_issue"

In this command 'system.web/identity' is the section we would like to encrypt and the 'ws_issue' is the name of the web application.

No comments:

Post a Comment