Automatically encrypt your ASP.NET Web.Config sections at runtime
Today I will show you how to encrypt the web.config settings in your production server at runtime.
Take a look at the EncryptConfig snippet below. This will encrypt the connectionStrings, system.web/sessionState, and appSettings section of the web.config
Private Sub EncryptConfig()
'1. Open the Web.Config for editing
Dim cfg As System.Configuration.Configuration = _
System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(System.Web.Hosting.HostingEnvironment.ApplicationVirtualPath)
'2. Add the configuration sections that you want to encrypt
Dim lSections As New Generic.List(Of String)
With lSections
.Add("connectionStrings")
.Add("system.web/sessionState")
.Add("appSettings")
End With
'3. Iterate each sections in the list that we added and encrypt it using DataProtectionConfigurationProvider
Dim section As ConfigurationSection
For Each s As String In lSections
section = cfg.GetSection(s)
If (Not section.SectionInformation.IsProtected) Then
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")
End If
Next
'4. Save it!!
cfg.Save()
End Sub
We will then call this code in the Application_Start of the Global.asax file. This is the best place to put it since it is always triggered every time you update your web.config and run your page.
Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
EncryptConfig()
End Sub
However, this will always be triggered even if it is hosted in your development environment. We have to make sure that the EncryptConfig will only run in your production server.
Let’s assume that my production server’s computer name is XXX01:
Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
If My.Computer.Name.Contains("XXX01") Then
EncryptConfig()
End If
End Sub
You may be tempted to use Request.Url to check if it is running on your live site but unfortunately, Request object is not available yet in the Application_Start scope.
This is how your connectionStrings section will look like when you update your web.config and restart your application.
<configuration>
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAAoxufDgh70iRkpmpvJlR+QQAAAACAAAAAAADZgAAwAAAABAAAACRoSDCeM4oKrAsEgIjlTXrAAAAAASAAACgAAAAEAAAAOd/Vw/vAnq5yLjJqRodywhwBQAAqqFr7oLlS+bETkUCR4J+yFnAHxQ9G9d2OZOz+97V9eVbS/Q/MEzULF9lA0ohCqODO4eKuPZTFq3GkG1sq7ivYc/yNoCi121iho6bKDks6dQAQ1vTtMZ1tKgwNRPlu23kBxyHffijXckQecqgxtyHwbjdWa9IwbpuL48KG+m9xf1FxDIFvMXCj76l/Rn+0TaYIvnhEZPg0Hoy1ipyVbHGoR26wEzw3Nq/mCao+AKx9Wu/SOJ82MHlzBjq9dhWQ5uBI0roqC5TIUa/x1nL6YD5sqL05zDgmW2mbue/4HD7zDWobrUuTQcpumhce7RUNzaRohsCdvkmv1GtCOFOnHx5ecN5FyRQ1f+moI2l7efeNmKd81IOkgKi+yhPNE1yVuPrGQIAde/bnJeooiV2MzIG4iwPY1CAK5UBNhsnaoxGInaKO/h1Lajotr4jpstx9qJFJ0ohmLkqfKYMI0PjHy4g9nXMFoWVeWymD1SKXM0MvDqXMYSI6cUR6ulpn/9tcvF7sUw3YcOlzRcpOjuQ2Hc00Wfs8UuECaaps0an2ake4oIrCGFmU1C86RN4hEA3gsyPWjhOeQZhMcRWwhzIm8Mh+f6pHbEhRPPN5ODZXDDxWy7LHxbc2Gtr65gKhvVUlYSy07uYjKFZ5Y7AEaCaLhizfr7xoXUZXNymFyEw/n1m6n1z0xXjiF6c4LnwpmRCnCJQ0vTXrXNJo0Jz6Vy+/x0yShVlbCqBfBzTpDJfGmGydAOC5w/dock378/OVSWp4rdLq18h+gZoya3NE1bZ/ooqiynkvvqVeVb2+Jd1L7y0EfwFOvEwHcYyL8SAlACWaDPjKjapR8EaLCJwqLTUwKd6Awd7gq2S/XlFDWgyw9jz04q3iSUkspZl+ey77kItPqb6WJ0zAYPWVjCNd5D0hAqA+AwLrkwJNO8YyH0pJhJAmlqk9UYFvdtQTbVsOyCGv+ROIfWoX6aQuhYCbPH8H7yanx5Rtzb09g1vGe5X+/94eFl17nE1dsuSOr7NwqX9BJm7gPemycuIvnae0wpiCZH7DelGCcf4MR0UVvRDj7jK7RIHNrNo25dz43pPqd8nPLLLekAJY4sONZSTwSF//GPOWvuh0YOtXFMb+UdOcy4htdJeF59OwWnbSoAXvZbqU8Txv/lRudeoP+2GMmBLACu3vZfygU+zrtOjIH+Vlkz81G6HjXxgErL3VKqfBa45azzi29YWe1xK1jFPS+MjQyn16a5crnEO5mcF8SQagVc8ptKHiqrGS0pYw3Hv+UQE4OgQGfWVSXgj61e5BvqtVWT15/M7lNmRJAH/9FbDuYlsfi9SAoCNjuzRd6kbjJ1V+Na6R+bc/ZiNSmQqMnu5I04owUVrhMfVfSJX6LQfZ1NaCLexTF3WVL2Gk0QU0wvmqD4Y06IP7QVus+rxSvyPj8tOo1TKQYCTzRZp5uEU4vgKcRPqC1wQKXuD+lUdyPaFIF5QjthD5APCrD5hK1guPK2akjdiLnF48Bzm4L3e1TQ+OcTHyy/jo+Da7zxq+Zfvc4PS5CJeKiXsAzyBB6Y6SYlviRzAe1DhWzpCXhLV506OHc5nwRLM+/YV3bV8fXcYAVIAPjxMyCi1yqRs10QVg0+HLaHXrvDmcq4TmiRpGgLzdjxKeAc8LI29KLKakexDUopIEzNkifD6fNbUA494d5yWOuCadFUQPp+smxNmrSuaKDhSBEGAHNTXiNcl1x/0bqOJ3FMaQ+WkOpNpmFV8/pndai800QHe7x0PS26Vgp53lM3u+Nh7H52aVhPQ5NaHJa5c/eH5mr/vHMKHtw/DU6G2m2NU5bF9sPn5Gb37rKM3o9Fq6V3jTdcxIJSILe18I+U3FAAAAM3dGAouh+HetpjILfTuut6AOhv4</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
... other sections here
... other sections here
</configuration>
I would suggest that you keep a local copy of your production site’s config file.
The information you've provided is quite useful. It's incredibly instructional because it provides some of the most useful information. Thank you for sharing that. mobile app companies in dubai
ReplyDelete