Automatically encrypt your ASP.NET Web.Config sections at runtime

 
Today I will show you how to encrypt the web.config settings in your production server at runtime.
Take a look at the EncryptConfig snippet below.  This will encrypt the connectionStrings, system.web/sessionState, and appSettings section of the web.config
   
 Private Sub EncryptConfig()  
   
     '1. Open the Web.Config for editing  
     Dim cfg As System.Configuration.Configuration = _  
     System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(System.Web.Hosting.HostingEnvironment.ApplicationVirtualPath)  
   
   
     '2. Add the configuration sections that you want to encrypt  
     Dim lSections As New Generic.List(Of String)  
     With lSections  
       .Add("connectionStrings")  
       .Add("system.web/sessionState")  
       .Add("appSettings")  
     End With  
   
     '3. Iterate each sections in the list that we added and encrypt it using DataProtectionConfigurationProvider  
     Dim section As ConfigurationSection  
     For Each s As String In lSections  
       section = cfg.GetSection(s)  
       If (Not section.SectionInformation.IsProtected) Then  
         section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider")  
       End If  
     Next  
   
     '4. Save it!!   
     cfg.Save()  
   End Sub  

We will then call this code in the Application_Start of the Global.asax file. This is the best place to put it since it is always triggered every time you update your web.config and run your page.
Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)  
       EncryptConfig()  
 End Sub  

However, this will always be triggered even if it is hosted in your development environment.  We have to make sure that the EncryptConfig will only run in your production server.

Let’s assume that my production server’s computer name is XXX01:
   
 Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)  
     If My.Computer.Name.Contains("XXX01") Then
         EncryptConfig()  
     End If  
 End Sub  
   

You may be tempted to use Request.Url to check if it is running on your live site but unfortunately, Request object is not available yet in the Application_Start scope.

This is how your connectionStrings section will look like when you update your web.config and restart your application.
 <configuration>  
  <connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">  
   <EncryptedData>  
    <CipherData>  
     <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAAoxufDgh70iRkpmpvJlR+QQAAAACAAAAAAADZgAAwAAAABAAAACRoSDCeM4oKrAsEgIjlTXrAAAAAASAAACgAAAAEAAAAOd/Vw/vAnq5yLjJqRodywhwBQAAqqFr7oLlS+bETkUCR4J+yFnAHxQ9G9d2OZOz+97V9eVbS/Q/MEzULF9lA0ohCqODO4eKuPZTFq3GkG1sq7ivYc/yNoCi121iho6bKDks6dQAQ1vTtMZ1tKgwNRPlu23kBxyHffijXckQecqgxtyHwbjdWa9IwbpuL48KG+m9xf1FxDIFvMXCj76l/Rn+0TaYIvnhEZPg0Hoy1ipyVbHGoR26wEzw3Nq/mCao+AKx9Wu/SOJ82MHlzBjq9dhWQ5uBI0roqC5TIUa/x1nL6YD5sqL05zDgmW2mbue/4HD7zDWobrUuTQcpumhce7RUNzaRohsCdvkmv1GtCOFOnHx5ecN5FyRQ1f+moI2l7efeNmKd81IOkgKi+yhPNE1yVuPrGQIAde/bnJeooiV2MzIG4iwPY1CAK5UBNhsnaoxGInaKO/h1Lajotr4jpstx9qJFJ0ohmLkqfKYMI0PjHy4g9nXMFoWVeWymD1SKXM0MvDqXMYSI6cUR6ulpn/9tcvF7sUw3YcOlzRcpOjuQ2Hc00Wfs8UuECaaps0an2ake4oIrCGFmU1C86RN4hEA3gsyPWjhOeQZhMcRWwhzIm8Mh+f6pHbEhRPPN5ODZXDDxWy7LHxbc2Gtr65gKhvVUlYSy07uYjKFZ5Y7AEaCaLhizfr7xoXUZXNymFyEw/n1m6n1z0xXjiF6c4LnwpmRCnCJQ0vTXrXNJo0Jz6Vy+/x0yShVlbCqBfBzTpDJfGmGydAOC5w/dock378/OVSWp4rdLq18h+gZoya3NE1bZ/ooqiynkvvqVeVb2+Jd1L7y0EfwFOvEwHcYyL8SAlACWaDPjKjapR8EaLCJwqLTUwKd6Awd7gq2S/XlFDWgyw9jz04q3iSUkspZl+ey77kItPqb6WJ0zAYPWVjCNd5D0hAqA+AwLrkwJNO8YyH0pJhJAmlqk9UYFvdtQTbVsOyCGv+ROIfWoX6aQuhYCbPH8H7yanx5Rtzb09g1vGe5X+/94eFl17nE1dsuSOr7NwqX9BJm7gPemycuIvnae0wpiCZH7DelGCcf4MR0UVvRDj7jK7RIHNrNo25dz43pPqd8nPLLLekAJY4sONZSTwSF//GPOWvuh0YOtXFMb+UdOcy4htdJeF59OwWnbSoAXvZbqU8Txv/lRudeoP+2GMmBLACu3vZfygU+zrtOjIH+Vlkz81G6HjXxgErL3VKqfBa45azzi29YWe1xK1jFPS+MjQyn16a5crnEO5mcF8SQagVc8ptKHiqrGS0pYw3Hv+UQE4OgQGfWVSXgj61e5BvqtVWT15/M7lNmRJAH/9FbDuYlsfi9SAoCNjuzRd6kbjJ1V+Na6R+bc/ZiNSmQqMnu5I04owUVrhMfVfSJX6LQfZ1NaCLexTF3WVL2Gk0QU0wvmqD4Y06IP7QVus+rxSvyPj8tOo1TKQYCTzRZp5uEU4vgKcRPqC1wQKXuD+lUdyPaFIF5QjthD5APCrD5hK1guPK2akjdiLnF48Bzm4L3e1TQ+OcTHyy/jo+Da7zxq+Zfvc4PS5CJeKiXsAzyBB6Y6SYlviRzAe1DhWzpCXhLV506OHc5nwRLM+/YV3bV8fXcYAVIAPjxMyCi1yqRs10QVg0+HLaHXrvDmcq4TmiRpGgLzdjxKeAc8LI29KLKakexDUopIEzNkifD6fNbUA494d5yWOuCadFUQPp+smxNmrSuaKDhSBEGAHNTXiNcl1x/0bqOJ3FMaQ+WkOpNpmFV8/pndai800QHe7x0PS26Vgp53lM3u+Nh7H52aVhPQ5NaHJa5c/eH5mr/vHMKHtw/DU6G2m2NU5bF9sPn5Gb37rKM3o9Fq6V3jTdcxIJSILe18I+U3FAAAAM3dGAouh+HetpjILfTuut6AOhv4</CipherValue>  
    </CipherData>  
   </EncryptedData>  
  </connectionStrings>  
    
  ... other sections here  
  ... other sections here  
   
 </configuration>  

I would suggest that you keep a local copy of your production site’s config file.

image

Comments

  1. The information you've provided is quite useful. It's incredibly instructional because it provides some of the most useful information. Thank you for sharing that. mobile app companies in dubai

    ReplyDelete

Post a Comment

Popular posts from this blog

Visual Studio 2012 – New Ideas. New Solutions. New Tool

All I wanted was a Black Flickr

Redirect or Point your Google App Engine to your naked domain