Meditation and Mindfulness for Software / IT Professionals. Conducted by Bipin Joshi in Thane. Read more...

Encrypting configuration section

Encrypting configuration sections

Introduction

Developers often store confidential information in the configuration files. Database connection strings, user names and passwords are some of the examples. One of the requested feature during ASP.NET 1.x days was to provide some way to easily encrypt and decrypt such information. Thankfully ASP.NET 2.0 fulfils this request in a flexible way. This article will explain how a specific configuration section can be protected using inbuilt tool and code.

How ASP.NET encrypts configuration files?

ASP.NET 2.0 allows you to encrypt sections of your configuration file so that they are secure and protected. This feature is often called as Protected Configuration. ASP.NET provides two ways to encrypt and decrypt the configuration files:

  • Via a command line tool called ASPNET_REGIIS.EXE
  • Via configuration management classes

The encryption and decryption is done with the help of two built-in Protected Configuration Provider :

  • RsaProtectedConfigurationProvider
  • DataProtectionConfigurationProvider

If you open machine.config on your machine you will find a section that specifies these providers. The RsaProtectedConfigurationProvider is the default one. Below is the relevant markup from machine.config file.

<configProtectedData 
defaultProvider="RsaProtectedConfigurationProvider">
<providers>
<add name="RsaProtectedConfigurationProvider" 
type="System.Configuration.RsaProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0, Culture=neutral, 
PublicKeyToken=b03f5f7f11d50a3a" 
description="Uses RsaCryptoServiceProvider to encrypt and decrypt" 
keyContainerName="NetFrameworkConfigurationKey" 
cspProviderName="" useMachineContainer="true" useOAEP="false" />
<add name="DataProtectionConfigurationProvider" 
type="System.Configuration.DpapiProtectedConfigurationProvider,
System.Configuration, Version=2.0.0.0, Culture=neutral, 
PublicKeyToken=b03f5f7f11d50a3a" 
description="Uses CryptProtectData and CryptUnProtectData 
Windows APIs to encrypt and decrypt" useMachineProtection="true" 
keyEntropy="" />
</providers>
</configProtectedData>

Encrypting a configuration section using ASPNET_REGIIS.EXE

Let's see how we can encrypt the <connectionStrings> section using ASPNET_REGIIS.EXE tool.

Create a new IIS based web site in VS.NET called EncryptTest and add a web.config file to it. Then add <connectionStrings> section as shown below:

<connectionStrings>
<add name="connstr" connectionString=
"data source=.\sqlexpress;initial catalog=
northwind;integrated security=true" />
</connectionStrings>

We simply add a connection string that points to Northwind database. Next, drag and drop a GridView control on the default web form and add the following code in the Page_Load event.

protected void Page_Load(object sender, EventArgs e)
{
string strConn = ConfigurationManager.
ConnectionStrings["connstr"].ConnectionString;
SqlDataAdapter da = new SqlDataAdapter
("select * from customers", strConn);
DataSet ds = new DataSet();
da.Fill(ds);
GridView1.DataSource = ds;
GridView1.DataBind();
}

We read the connection string from the <connectionStrings> section using ConfigurationManager class. We use this manual method instead of using SQL Data Source control deliberately just to prove that the inbuilt classes such as ConfigurationManager automatically decrypt the encrypted version of the connection string. We then populate a DataSet from all the records from Customers table and bind it with the GridView.

Now, open Visual Studio 2005 Command Prompt and issue the following command:

aspnet_regiis -pe "connectionStrings" -app "/encrypttest"

The -pe switch specifies the section from the web.config file to encrypy (connectionStrings in our case). The -app switch specifies the virtual path of the IIS application we are working on.

After executing this command if you peek into the web.config file you should see some thing like this:

<connectionStrings configProtectionProvider=
"RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>NW4gFUtlA3XkbKu42FQ3kYV8EKmwzy9r53vrI2rjV
ZFqjsr00/MwS6TWqjnsguN09kWvNIrbfWu5+Gi+DLFhYnGm2NcuaCy
Vic8f5e0Q8u3E7zk2MegZmiri5bSELE1fZneWz4oFb+MHqA94ZO3Be
XBlocou6ydtmJPXZCqLsDQ=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>T2fswq6Rt7g7VSNUnoe4kNFGSluWCBReQf3DRbXao/
sWaWs4mrJAI6Xy0zNDHY5pKXUUF9Kep2wG84rMVx0QtLIUjBaUKCnrm
Eb+53oYNPjN4Kf5zcPyWoaWwcus4LnJYNtg3oGJUvavZ0tjGXH9+5gB
w/xMrtfDcYAIom9l/IMcO92BKrvimjn/k4Mr8VXxGpvdMkAC3+e6dtW
JeUgQGpepO+RNpWymB5kWj38LjMQ=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>

The tool has encrypted the connectionStrings section using RsaProtectedConfigurationProvider (default) and stored the encrypted markup back to the configuration file. You can also specify the Protected Configuration Provider using -prov switch. Easy. Isn't it?

Now, run your web form. The web form should correctly display the Customers table in the GridView indicating that ConfigurationManager class automatically decrypts this information while reading the connection string.

Decrypting a configuration section ASPNET_REGIIS.EXE

What if you need to make some changes to the connection string during the development? Don't worry! The ASPNET_REGIIS.EXE tool allows you to decrypt the section also. Just issue the following command and get back your original un-encrypted version back.

aspnet_regiis -pd "connectionStrings" -app "/encrypttest"

The onlt difference between this command and the one we used previously is that we used -pd switch instead of -pa.

Encryption and decrypting via code

The task of encrypting and decrypting web.config can also be achieved via code. Let's see how.

Add a new web form to the same web site and design it as shown below:

Add the following code in the Click event of "Encrypt Connection String" button:

protected void Button1_Click(object sender, EventArgs e)
{
Configuration config = WebConfigurationManager.
OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.ConnectionStrings;
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection
("RsaProtectedConfigurationProvider");
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Modified);
}
}

If you are not familiar with how to edit web.config programmatically then you may find this article useful : Modifying Web.config file programmatically.

The code above is opening the web.config file for modification. It then retrieves the ConnectionStrings section. The most important thing happens at the line marked in bold. The ProtectSection() method accepts the Protected Configuration Provider you want  to use for encryption and then encrypts the underlying section using that provider. The code finally saves the file back to the disk.

Decrypting the configuration section works on similar lines as explained below:

protected void Button2_Click(object sender, EventArgs e)
{
Configuration config = WebConfigurationManager.
OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.ConnectionStrings;
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Modified);
}
}

Here, we used UnprotectSection() method to revert back to the un-encrypted version.

Summary

ASP.NET 2.0 makes it easy to secure your web.config files by allowing you to encrypt them. The encryption and decryption can be done in two ways - using ASPNET_REGIIS command line tool or programmatically.




Bipin Joshi is a software consultant, an author and a yoga mentor having 21+ years of experience in software development. He conducts online courses in ASP.NET MVC / Core, jQuery, and Design Patterns. He is a published author and has authored or co-authored books for Apress and Wrox press. Having embraced Yoga way of life he also teaches Meditation to interested individuals. To know more about him click here.

Get connected : Twitter  Facebook  Google+  LinkedIn

Posted On : 19 May 2006



Tags : ASP.NET Security Configuration