Encrypting and decrypting a web.config file.

mike55

mike55

Well-known member
Joined
Mar 26, 2004
Messages
726
Location
Ireland
Hi all

I am using the aspnet_regiis set of commands to create and a provider and encrypt/decrypt the connection string in a web.config file. The problem that I am having is that I generate the key on one machine and encrypt the config file. I then export the key and import onto my server, and assign the relevant permissions. I now want to remove the key so that nobody can look at the web.config file and be able to simply run the decryption command to see the connection string.

Here are the commands that I use:
1. generate machine level rsa key
Code: 
Aspnet_regiis
 
They key is required to decrypt the sections - if you delete it then asp.net cannot decrypt the relevant sections.

If you have already set permissions on the container though you shouldnt need to delete they key anyway.
 
So, this method is really only effective in the case that someone gets hold of the web.config file and moves it to another machine and then tries to decrypt it?

Mike55.
 
It is an extra layer of security for the web.config file. If somebody has physical access to the server then you already have problems in ensuring security - however this may be unavoidable (3rd party hosting as an example).

Encrypting the config file simply prevents information contained from being available in clear text, by securing the container you are preventing all but one or two selected accounts from ever being able to decrypt the file.
 

Similar threads

N
Web.config file maximum size and count
Replies
0
Views
373
Nedim
N
A
IIS Admin Service unable to start - How and Why it can happen?
Replies
0
Views
248
ashfana
A
S
Encrypt and decrypt a string in C# and C++
Replies
0
Views
161
speed780
S
J
Different encryption is created for the same value
Replies
0
Views
107
jazz1010
J
S
Ecrypt and decrpyt a string in C# and C++
Replies
0
Views
152
speed780
S
Back
Top