Web.Config Configuration Encryption
Recently, I've been working on quite a number of projects to do with enterprise web application development, and many a times, I got request to have all encryption strings encrypted. Of course, even if they didn't tell me to do so, I'd also do so as it's just too dangerous to keep it in plaintext.
So do you have to specifically write a special dll to do this task or use the cryptographic services in .NET to do so? The answer is no! ASP.NET 2.0 provides you such capabilities. Infact, this has already been available in ASP.NET 1.1. Just that ASP.NET 2.0 includes the option to do so with DPAPI too!
ASP.NET 2.0 supports two forms of encryptions:
- RSA (a form of asymmetric encryption)
- DPAPI
RSA is recommended as DPAPI makes use of key that are machine-specific. So that doesn't sound too portable. Well, as RSA is a 1024 bit block encryption, if you do want to encrypt data-strings larger then that, you might want to consider making use of Envelop Encryption, where you'd
- Generate a random private key
- Encrypt the string with a symmetric encryption algorithm (e.g. 3DES, AES) using the randomly generated private key
- Encrypt the random private key using RSA
Why so? This would thus help you to solve any form of key distribution problems and also increase the encryption speed. Symmetric Encryption is typically 10,000 times faster then Asymmetric-Key. This makes senses when you look at the number of keys used.
In this example, DPAPI is used. However, if you do want to make use of RSA to make your code portable, you'd need to change "DataProtectionConfigurationProvider" to "RSAProtectedConfigurationProvider".
Implementation Code
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection appSettings =
config.GetSection("appSettings");
if (appSettings.SectionInformation.IsProtected)
{
appSettings.SectionInformation.UnprotectSection();
Button1.Text = "Decrypt";
}
else
{
appSettings.SectionInformation.ProtectSection
("DataProtectionConfigurationProvider");
Button1.Text = "Encrypt";
}
config.Save();
Web.Config Prior to Encryption
<?
xml version="1.0"?>
<configuration>
<appSettings>
<add key="customerRecordDBConnectionString" value="Data Source=(local);Database=db_custRecs;Integrated Security=SSPI;"/>
</appSettings>
<connectionStrings/>
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
</system.web>
</configuration>
Web.Config After Encryption
<?xml version="1.0"?>
<configuration>
<appSettings>
<EncryptedData>
<CipherData>
<CipherValue>
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAZ+eO5Glne0Cg5DOdDS6FlgQ
AAAACAAAAAAADZgAAqAAAABAAAAASnhP72Mnx926RfOa32hOQAAAA
AASAAACgAAAAEAAAAD+gxssSojnRnAqLtkqU2ThAAQAAiEMFWIBgi6zEb
bcT78v65+Sm8gp2opspMWr2jTFxC5eJtVtecSUiDMGbEQOYJPStnrbrXL3W16
bjF3xrBnEg4toTQnzvBMz+3Eaqy0/2Js/sksh/0OA2OIkwLU4BVEZhLN3TAiLDj
HzrzHxUzmUBdkkPBxSfaSFrnSh2eVTZWf+YBDT7Z1q9WWSe8Q22BHI2TRa
H/mjFXm/7rZQmdG3zhXX+EMQl2ow7/CGhYBZF1zOhMEdlE5ui/JOBd722CHv
Gb8sWBK6wd92dRs1T99+LZucBWpW0S4gonObUVYmKHa+gnK26L5rskpm
5XOBmDo8certosnEjHMqxH0JYY9/3xEevH5tG7HtOopc+TNo8/+C3jzWdX4uq
+S1grYRQff5Kmvqx4vR73v2/99q5UHqYkCPe5XLkMAFT20Dxux8er/oUAAAAY
auBiM2jrVRXhk3t6mN087j/HFI=
</CipherValue>
</CipherData>
</EncryptedData>
</appSettings>
<connectionStrings/>
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
</system.web>
</configuration>
Read the complete post at http://darrensim.com/blogs/techbits/archive/2007/03/10/web-config-configuration-encryption.aspx