Encrypting .config files

Discussion in 'ASP .Net Security' started by MCM, Sep 16, 2009.

  1. MCM

    MCM Guest

    This article explains how to encrypt sections of web.config:

    http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx

    In my application I have this line in web.config:

    <appSettings configSource="Config\AppSettings.config" />

    My question is, how do I encrypt the entire AppSettings.config file?
    MCM, Sep 16, 2009
    #1
    1. Advertising

  2. * MCM wrote, On 16-9-2009 21:54:
    > This article explains how to encrypt sections of web.config:
    >
    > http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
    >
    > In my application I have this line in web.config:
    >
    > <appSettings configSource="Config\AppSettings.config" />
    >
    > My question is, how do I encrypt the entire AppSettings.config file?
    >


    The not so nice answer is, put it in a web.config, encrypt the section
    you want, extract it back into the AppSettings.config.

    And you might be able to encrypt it through the programming API directly
    from your application on first load.

    --
    Jesse Houwing
    jesse.houwing at sogeti.nl
    Jesse Houwing, Sep 16, 2009
    #2
    1. Advertising

  3. Hi,

    >My question is, how do I encrypt the entire AppSettings.config file?


    Unfortunately it's not supported out of box. Even if you use built-in API
    to encrypt it, the value will be extracted from the custom file and added
    to web.config.

    A straightforward workaround is to encrypt the value data of an appSettings
    on your own. Then decrypt it in your code to get the correct value. You can
    do this programatically:

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.rsacryp
    toserviceprovider.aspx

    Please let me know if it can solve this issue and feel free to ask if you
    have additional questions.

    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Allen Chen [MSFT], Sep 17, 2009
    #3
  4. MCM

    MCM Guest

    That's not the answer I was hoping for, but it is an answer.

    My choices seem to be:

    1. encrpyt/decrypt data myself

    2. get rid of the external files and put it in web.config and use regiis to
    encode the sections via the article I posted.

    Neither is ideal, but what can ya do? Thanks for the help.


    "Allen Chen [MSFT]" wrote:

    > Hi,
    >
    > >My question is, how do I encrypt the entire AppSettings.config file?

    >
    > Unfortunately it's not supported out of box. Even if you use built-in API
    > to encrypt it, the value will be extracted from the custom file and added
    > to web.config.
    >
    > A straightforward workaround is to encrypt the value data of an appSettings
    > on your own. Then decrypt it in your code to get the correct value. You can
    > do this programatically:
    >
    > http://msdn.microsoft.com/en-us/library/system.security.cryptography.rsacryp
    > toserviceprovider.aspx
    >
    > Please let me know if it can solve this issue and feel free to ask if you
    > have additional questions.
    >
    > Regards,
    > Allen Chen
    > Microsoft Online Support
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    > Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 2 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions. Issues of this
    > nature are best handled working with a dedicated Microsoft Support Engineer
    > by contacting Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    > ==================================================
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    MCM, Sep 17, 2009
    #4
  5. Hi,

    >That's not the answer I was hoping for, but it is an answer.


    >My choices seem to be:


    >1. encrpyt/decrypt data myself


    >2. get rid of the external files and put it in web.config and use regiis

    to
    >encode the sections via the article I posted.


    >Neither is ideal, but what can ya do? Thanks for the help.


    Thanks for your reply. Yes I believe they are the only options. This is not
    a supported function. If we want to do that we probably have to
    encrpt/decrypt ourselves.

    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .
    Allen Chen [MSFT], Sep 17, 2009
    #5
  6. Hi,

    >That's not the answer I was hoping for, but it is an answer.


    >My choices seem to be:


    >1. encrpyt/decrypt data myself


    >2. get rid of the external files and put it in web.config and use regiis

    to
    >encode the sections via the article I posted.


    >Neither is ideal, but what can ya do? Thanks for the help.



    Do you have additional questions? If you have, please feel free to ask.


    Regards,
    Allen Chen
    Microsoft Online Support

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .
    Allen Chen [MSFT], Sep 21, 2009
    #6
  7. MCM

    MCM Guest

    Nope. All good here. Thanks.

    "Allen Chen [MSFT]" wrote:

    > Hi,
    >
    > >That's not the answer I was hoping for, but it is an answer.

    >
    > >My choices seem to be:

    >
    > >1. encrpyt/decrypt data myself

    >
    > >2. get rid of the external files and put it in web.config and use regiis

    > to
    > >encode the sections via the article I posted.

    >
    > >Neither is ideal, but what can ya do? Thanks for the help.

    >
    >
    > Do you have additional questions? If you have, please feel free to ask.
    >
    >
    > Regards,
    > Allen Chen
    > Microsoft Online Support
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    >
    MCM, Sep 21, 2009
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    355
  2. Replies:
    35
    Views:
    50,764
    Chris Uppal
    Nov 9, 2005
  3. -Steve-

    Encrypting web.config

    -Steve-, Aug 16, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    353
    -Steve-
    Aug 16, 2006
  4. Ollie Riches
    Replies:
    1
    Views:
    1,624
    Gregory A. Beamer
    Dec 4, 2008
  5. Alex. O. Koranteng

    Encrypting web.config file

    Alex. O. Koranteng, Dec 26, 2008, in forum: ASP .Net
    Replies:
    2
    Views:
    783
    Allen Chen [MSFT]
    Jan 2, 2009
Loading...

Share This Page