asp.net-mvc

Web.config Encryption

How to protect your Web.config file

It is a good practice to encrypt your Web.config file if you have sensitive information there, for example a connection string with password.

With the ASP.NET IIS Registration tool (Aspnet_regiis.exe) you can easily encrypt specific sections of Web.config file. A command with elevated privileges is required.

Example using DataProtectionConfigurationProvider. This provider uses DPAPI to encrypt and decrypt data:

aspnet_regiis.exe -pef "connectionStrings" c:\inetpub\YourWebApp -prov "DataProtectionConfigurationProvider"

Example using RSAProtectedConfigurationProvider:

aspnet_regiis.exe -pef "connectionStrings" c:\inetpub\YourWebApp -prov "RSAProtectedConfigurationProvider"

If you do not specify the -prov parameter it uses RSAProtectedConfigurationProvider as default. This provider is recommended for Web Farm scenarios.

To get connectionStrings section back to clear text:

aspnet_regiis.exe -pdf "connectionStrings" c:\inetpub\YourWebApp

More information about the aspnet_regiis.exe is avaiable on MSDN.

This modified text is an extract of the original Stack Overflow Documentation created by the contributors and released under CC BY-SA 3.0 This website is not affiliated with Stack Overflow