Friday, March 16, 2012

Encrypt and Decrypt Web.Config

Security is one of the major aspects in terms of a web application. Security can be implemented using different methods in a web application. One of the main components, which required high security, is the configuration files, where we will define the configurations. In this document, we will discuss about the simple way to protect the web.config entries.


Security is one of the major aspects in terms of a web application. Security can be implemented using different methods in a web application. One of the main components, which required high security, is the configuration files, where we will define the configurations. In this document, we will discuss about the simple way to protect the web.config entries.

Encrypt Web.Config Sections

We can encrypt the required sections using the Asp.Net built in utility aspnet_regiis. For example, we want to encrypt the following appSettings defined in the default website

Open the command prompt and run the command




%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings"


Rsa Key


g7ROtz+5zGkEXsfxBW1o7RmcGvekuEtbvHGC+EWQiqD0fJypbg56JgbO+7hLMYh7uq5J5AcNEa9XAxnsX2f7V5QJZLDguv+bJhdBHs27QrS5P0MNU4bqUipx0MYwuS+zPTkBwpyTuTzCBTJPZkkfd/4N0IvK9+JgQP9EUK9PlAA=



oSn8uYA9HUaii3ZcHET4oMATfVrFwpYpjipRgF9Uil+eSwno9r3HqNjS1VYwkEz8QFfhHnhSenwkKpIkuhv1hFvppX1CZtQyopVIDtsJgnzdP7uCk9xYt+7n6EX3OlgVuHCv8ckl7jpCAaTgtFLmScM6ey8N4SAkwK60e/Ou7zg4bqf0RnNYcghprdxuBR2z

Sometimes, we need to encrypt the sections of another website, which is not the default website, and then use the following options


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/" -site TestSite


This command specifies encrypt the appSettings section of the site TestSite. –app indicates the virtual directory under the site. For encrypting the web.config of the main web site use the virtual directory value as “/”.

In some cases, we may need to encrypt the web.config under a virtual directory or web application under our web site, then use the following command


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/MyApp" -site TestSite


Here, the command indicates encrypt the web.config of the TestSite and find the configuration under the MyApp web application configured under the website.

Instead of using the site name, we can use the metadata identifier or ID of the site, which can be obtained from the IIS Manager.


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pe "appSettings" -app "/MyApp" -site 5

Decrypt Web.Config Sections
Same as encrypt, we can us ethe same utility to decrypt the section values for further updates. The decrypt command is


%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pd "appSettings" -app "/MyApp"
-site TestSite

2 comments: