Encrypting web.config sections

Question

In a .NET 4.0 website, which web.config sections can be encrypted? I read that not all sections can be encrypted, but I can't find anything detailing which sections can.

Answer 1

From the MSDN docs , it's clear that one can encrypt and decrypt a web.config section using the Aspnet_regiis.exe tool with the –pe option and the name of the configuration element to be encrypted as long as the section is not one of these ones:

The following is a list of configuration sections that cannot be encrypted using protected configuration: processModel, runtime, mscorlib, startup, system.runtime.remoting, configProtectedData, satelliteassemblies, cryptographySettings, cryptoNameMapping, and cryptoClasses . It is recommended that you use other means of encrypting sensitive information, such as the ASP.NET Set Registry console application (Aspnet_setreg.exe) tool, to protect sensitive information in these configuration sections.

Here's what you need to encrypt all other possible sections:

Encrypting and Decrypting Configuration Sections

Walkthrough: Encrypting Configuration Information Using Protected Configuration

Answer 2

To Encrypt

go to below directory in command prompt C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319>

1. Encrypt command for connectionStrings web config section and encrypt ShopAPI IIS application web.config file.

aspnet_regiis -pe "connectionStrings" -app "/ShopAPI"

aspnet_regiis -pd "connectionStrings" -app "/ShopAPI"

Answer 3

Configuration files such as the Web.config file are often used to hold sensitive information, including user names , passwords , db connection strings , and encryption keys .That's why we should always keep those sensitive sections in encrypted form.

Sections you can encrypt :

• <appSettings>
• <connectionStrings>
• <identity>
• <sessionState>

Sections you can't encrypt :

• <processModel>
• <runtime>
• <mscorlib>
• <startup>
• <system.runtime.remoting>
• <configProtectedData>
• <satelliteassemblies>
• <cryptographySettings>
• <cryptoNameMapping>

Remember : Encrypting and decrypting data incurs performance overhead. To keep this overhead to a minimum, encrypt only the sections of your configuration file that store sensitive data.