Easily Encrypt Your Web.Config23rd August 2015
There's a very easy way to encrypt sections of your web.config file. Before we find out how, we should ask why.
The web.config file is a treasure trove of secrets. Often it includes passwords, applications settings and technical details about how the site operates.
- You don't really want people being able to read it.
- You don't want to store those secrets in SourceControl.
- When you copy data around using FTP, everything is visible (you should try and use SFTP). Who knows if you're being watched by a man-in-the-middle.
- If you have bad security configuration Owasp #5 then someone can just Googledork you: filetype:config inurl:web.config
Encryption Is Easy
Just use the tool that comes with .Net - aspnet_regiis.exe.
The syntax is very simple, basically:
aspnet_regiis -pe "connectionStrings" -app "/MyApplication"
Just run it for the section and app you want to encrypt.
You can also run multiple-commands at the same time by pasting them into the command window. I encrypt AppSettings, ConnectionStrings and Session all at the same time. It's just so easy, I'm suprised more people don't do it.
Decryption is easy to. Instead of the -pe switch, use the -pd switch.
If there's a problem encrypting or decrypting the file, firstly ensure that the site or app you specified in the command actually exists in IIS. .
Secondly, find out whether overide locks have been placed in parent configuration files. For example, you can lock the security settings in the web.config in System32 to help prevent administrators from inadvertently changing the security settings. Read more about it at MSDN.