How to Encrypt Sensitive Data in Your Configuration Files

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Encrypt configuration sections that contain sensitive data such as SQL connection strings. Use DPAPI to encrypt the sensitive data in the configuration file on your WCF server machine. To encrypt sensitive data in your configuration files, use the aspnet_regiis.exe tool with the -pe (provider encryption) option.

For example, to encrypt the connectionStrings section, using the DPAPI provider with the machine key store (the default configuration), run the following command from a command prompt:

aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"

The aspnet_regiis settings are:
  • -pe specifies the configuration section to encrypt.
  • -app specifies your Web application's virtual path. If your application is nested, you need to specify the nested path from the root directory, for example "/test/aspnet/MachineDPAPI"
  • -prov specifies the provider name.
*
The .NET Framework supports RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider protected configuration providers:
  • RSAProtectedConfigurationProvider. This is the default provider and uses the RSA public key encryption to encrypt and decrypt data. Use this provider to encrypt configuration files for use on multiple WCF Services in a Web farm.
  • DPAPIProtectedConfigurationProvider. This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data. Use this provider to encrypt configuration files for use on a single Windows Server.

You do not need to take any special steps for decryption, the .NET runtime takes care of this for you.

Additional Resources

Last edited Jun 13, 2008 at 6:32 PM by prashantbansode, version 1

Comments

No comments yet.