Easily Encrypt Your Web.Config

There's a very easy way to encrypt sections of your web.config file. Before we find out how, we should ask why.

The web.config file is a treasure trove of secrets. Often it includes passwords, applications settings and technical details about how the site operates.

  • You don't really want people      being able to read it.
  • You don't want to store      those secrets in SourceControl.
  • When you copy data around      using FTP, everything is visible (you should try and use SFTP). Who knows      if you're being watched by a man-in-the-middle.
  • If you have bad security      configuration Owasp #5 then someone can just      Googledork you: filetype:config inurl:web.config

Encryption Is Easy
Just use the tool that comes with .Net - aspnet_regiis.exe.
The syntax is very simple, basically:

aspnet_regiis -pe "connectionStrings" -app "/MyApplication"

Just run it for the section and app you want to encrypt.
You can also run multiple-commands at the same time by pasting them into the command window. I encrypt AppSettings, ConnectionStrings and Session all at the same time. It's just so easy, I'm suprised more people don't do it.

Decryption
Decryption is easy to. Instead of the -pe switch, use the -pd switch.

Gotchas
If there's a problem encrypting or decrypting the file, firstly ensure that the site or app you specified in the command actually exists in IIS. .

Secondly, find out whether overide locks have been placed in parent configuration files. For example, you can lock the security settings in the web.config in System32 to help prevent administrators from inadvertently changing the security settings. Read more about it at MSDN.