Reading custom web.config section that has been encrypted fails

Question

I am developing an installer that installs a web app , part of the install process requires me to set some custom configuration in the web.config and then right at the end I encrypt this section along with the connection strings section.

Everything looks great and my app completes without error and when I view the web.config in a text editor the sections I have encrypted do indeed appear to to be encrypted, however, when I come to load the web app I am confronted with the following error :

Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: '', hexadecimal value 0x12, is an invalid character. Line 18, position 54.

What I have managed to find out so far is that the above issue does not happen if I only encrypt the connection strings section, it only appears to be something to do with reading my custom section. So my question is: Do I need to implement something in my custom configuration getter to decrypt the section first before reading or is this something that .NET should be doing for me and I need to explore something different?

My code is below. I have just included the bits that I think matter, if you need to see more just let me know and I will update the question.

Thanks in advance.

Web.Config output

  <configSections>
    <section name="EngageConfiguration" type="BeaconAPI.EngageConfiguration, ConfigExtensions" />
  </configSections>

  <EngageConfiguration configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>gAGuJwEoWS+0jMrTuyzDQ7pKxeMaAdeXXr53UvkbaXCm5JH/pO522+EWo4faSCRaBUxoBumbgMI69WRvsqrq9eS3Q+MAmLaxtGG21raC5MpF19xfjDfsbxsE6ZDB3mPTxxkXCuGmcLdWtm64PER3F8CrSmJYBAx99BZ07FfddINIeJwXU60sAFfAVGSKa5yxKNGlDcTSkPMlYxy3MrCNPgp+TipsZDK/AGL4HeZoDcNwQbFYHwXWHqJTJMPTV5xsXeXp5IdLLaziWZaecnYi2p6vLqMoU79G/Nuzga/VyQ914rYVUZXFIuDHO1WwhKwzs3sIgPoADnaUj5AwCs3DrQ==</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>yHh7cBKbgz1c7YSkjVVYGDZB3EhRj0QTiQY3AH3YwAISO5yAuNmhiHCPiT6XoGPTd6Bgq9Ltnl++5T8q9JN4xMzJ6OecchxWUG6TMZxmAqiCK2arkPtzO1pMISK5+SlwXr0Z5VsJDGGnTRaVcjFAviHxLIfeoL5m41Q3nRoUPnb/63xVLAdAiDN/d3pT+W08nOhRynNVBR73zVcby7+g8rUplU9ANj8aE2oX7Kja2rxabQiAjwLs3V4fv+eTlwHmVdRmw6QT+VQEkwGySyocfGNJgXlmUJGbWkyazZQtWgXw67hQMe2qGd+OGt5AfM5i020f7rXLP7gowjyR992PPGXL87ihv1X7JLaDstolvNEBP7lTLP4UCDk1u/p/fzscJfNmW0iSmARn1K9in4FKWdZEprO8Pcd2cLzSLg/czq3oRs8DtLRHdf44DdCd+F/NFn4pVL4D/w+HseicrK120yVBzqlkxB0lvJH853KQCd+hYrMOf7kxuHckgUBpVlDuNbsOr4z4X3A6jFoAEajP2QDrRfNc3eBHt43LEIDWDKKl+Gzw4OTm/ksL/P4lmpiUYMqMskxSkw2ZHH2LJ1joAg6lQbI8nffyrlxpRyg5fgCk5yNJ1rlttpAfD+YbIdpDl+wJbn+pcm9NK6POG1n8kZAGvkkak4h1ypWWYU2/QxOIXi5a+ov4uMoTrKxchdqeIRNqDKnV1NxhRMqM0nQMPbSb3TP7WIFF/20QCZPPPmoyaZWljgnWwIE/+jba5ObKA03sPYJTsywLNJLDaSnqXKV4lmcmGIUCTlfPltAEtXKoFQuD0J7j6BD/64vfeWEv3fUTo7JeH2jxch2U/NTmgtQhopJXzAXChRI4HV4E/Qj2Z9xWiOOj6SW/dSUATk3MKtZI7OACQ5XVQD4ZZVm9Gln3hq3HWnGYuWLkI+KohvKMSSzs5qlCt+zAEVeQ/j7n98xYaFFWgjYkx9xo6VokAP+cxqwM3AT3XIAEXI/hpSlxk9JENYk9aET+OMTR4vYjSglrXMeTV2pX2kpw3dp86M8nZgOp1/yY2KoPzOvtpfFEDTxeH2TTTklpxRk0hNXIDGU8i3OUz/jQ8vbsZdrXwTPLGnAq4xlAdqmUuXq0LHK5MGIL+4GRjR5ACPhA3ktHI/QRO+I8gkStW6ZmhhM9oEBb4lFoKlZJVvvgaaGjvRJ348QtlCFb/8EAjj3Q0mnW9QMRKdUwAoh+nhrJe9jhdUXgqp7QiEw6NtaHULJM+SyrrDWjLmTvLJrpAgpNIuPcZtqyLrwRdfmvJQLH/P2HHNwCEnXVXwtotkUBnu8y+of4FIFx7GuzjQo/uEIQq6p1JW2pS1QiodDfPuZJqoCKsU4QUqoaLXpI1SRGGc1+2xrelyQj9X8HS601ZXURk+0EJhz7aRvSktQlSecdeTFr5ZgtR4zrcVvdXFvoCdT5cQv++8hsyN/VajDYvUCwKscarvd4JTahqnR1ODEg3e2m8NdWOdVzy5dbMSGt1i+ecrxQtMqxCOSUCGd+Ryb+Nqiprh4RO+usoxFQH6IkSAPMM3iNDLSw8Qp00mA6+g/ulGHkxyv2JVp/G+K+AAhLzTdMoqF8JYYbn+xcoXec8K/WycyjGZ4IsivePYg0xEoegq5ZZbkcKQOrz+OxnRiZEmyz</CipherValue>
      </CipherData>
    </EncryptedData>

Code used to encrypt section

private static void WebConfigEncryptSection(Configuration config, string SectionName)
        {
            if (!config.GetSection(SectionName).SectionInformation.IsProtected)
                        {
                            config.GetSection(SectionName).SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
                        }
        }

Code used to try and access values

private static void GetConfigValue(EngageConfiguration engageConfiguration, string Val)
        {
            return engageConfiguration.SystemConfiguration[Val].Value;
        }

Answer 1

Instead of encrypting sections of web.config, I would create an xml configuration file with encrypted values that you can deserialize/serialize from/to a class. I like keeping web.config and app.config as simplier as possible.