Knowledge Base

Encrypting Connection Strings in Web.Config

Encrypting sections of your application's web.config file helps to improve the security of your application by replacing plain text sections of your application's configuration with encrypted ones.  You can use aspnet_regiis.exe to encrypt sections of the web.config file and ASP.NET can natively decrypt theses sections and process the file normally, all occurring without the need to write additional lines of code.

To encrypt the connection string section complete the following steps:

  1. Open the "Command Prompt"
  2. Change the directory to the .NET Framework 2.0 directory using the following command
    • cd\WINDOWS\Microsoft.Net\Framework\v2.0.*
  3. Depending how the application is built, two options are available:
    1. Built as File System Web site
      • Type aspnet_regiis.exe -pef “connectionStrings” C:\Applications\ApplicationFolder
      • The first argument -pef indicates that the application is built as a File System Web site.  The second argument is the name of the configuration section needing to be encrypted.  The third argument is the physical path where the web.config is located.
      • To decrypt from this method replace -pef with -pdf
    2. Built as IIS-based Web site
      • Type aspnet_regiis.exe -pe “connectionStrings” -app “/Application”
      • The first argument -pe indicates that the application is built as an IIS-based application.  The second argument is the name of the configuration sections that needs to be encrypted.  The third argument "-app" indicates virtual directory. The final argument is the name of the virtual directory where the application is deployed.
      • To decrypt from this method replace -pe with -pd
  4. If the process has completed without any errors you should receive a message like "Encrypting configuration section...Succeeded!"
  5. To verify the process you can open your web.config file to see is the connection string section has been encrypted.

You can encrypt all sections of the web.config with the following exceptions using the method displayed above by simply replacing the "connectionStrings" variable with the appropriate section name:

  • <processModel>
  • <runtime>
  • <mscorlib>
  • <startup>
  • <system.runtime.remoting>
  • <configProtectedData>
  • <satelliteassemblies>
  • <cryptographySettings>
  • <cryptoNameMapping>
  • <cryptoClasses>
Posted by Derek Trauger on Monday, March 02, 2009
Tags: Encryption, ASP.NET
25 Latest Articles Current Articles | Archives | Search
©2010 Derek Trauger & Associates, LLC Home|Company|Products|Services|Support|Contact
Privacy Statement Terms Of Use