After a web application is built and deployed to the IIS, the web.config’s ‘connectionStrings’ section can be encrypted. This can be done by using the ASP.NET Registration Tool (aspnet_regiis.exe).
See the following command executed on the command line (The command line needs to be started with administrative rights):
aspnet_regiis -pe "connectionStrings" -app "/YourWebsiteName"
<?
xml
version
=
"1.0"
?>
<
configuration
>
<
connectionStrings
configProtectionProvider
=
"RsaProtectedConfigurationProvider"
>
<
EncryptedData
Type
=
"http://www.w3.org/2001/04/xmlenc#Element"
xmlns
=
"http://www.w3.org/2001/04/xmlenc#"
>
<
EncryptionMethod
Algorithm
=
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
/>
<
KeyInfo
xmlns
=
"http://www.w3.org/2000/09/xmldsig#"
>
<
EncryptedKey
xmlns
=
"http://www.w3.org/2001/04/xmlenc#"
>
<
EncryptionMethod
Algorithm
=
"http://www.w3.org/2001/04/xmlenc#rsa-1_5"
/>
<
KeyInfo
xmlns
=
"http://www.w3.org/2000/09/xmldsig#"
>
<
KeyName
>Rsa Key</
KeyName
>
</
KeyInfo
>
<
CipherData
>
<
CipherValue
>BJFIXhlw2AjlQrsIjUSa+Sh5QyAhtQL7GL2cfW0cHd1gnBUJoQAZH/DO8+5aer+XnKrq6dXRnwUgdb6G7HyiX7F0ToT8+KwnPCfFpKdb6d2EcdFqLisEbhwwMf1g4l1r+DT+vmIhBcpwpgJHhCBjqjaMvE+rbjbYu1G+7fTbpas=</
CipherValue
>
</
CipherData
>
</
EncryptedKey
>
</
KeyInfo
>
<
CipherData
>
<
CipherValue
>7iEw3IbTMxy6rHrWqsWompJhBU3i8aX2hGqjdKhGlAYLmsHll6Eu/Z30Nme9xfcQlCB/a98+xp+Nu/cZFupM6QeIwZ0rzwwoj6WAoItOcdUuFixu8lrbOu79r1NIn1/LVIi+NzQZRcJbjwc0rsYapNywoSkySYGuL/8mSMW+Q2u4V6O8chu4EkvT+p3nBWshI1NJHGWR++K03a1/RbyGrYQ+mre+QIAl6Wg1ZwKeqEqkMUKb/4PBB6Rp9hhIs7yKak6odIfSitt3HRuMpGJzhzhA4itVhgRK+9xeR9FA7/Q7YhsOgqWh2w==</
CipherValue
>
</
CipherData
>
</
EncryptedData
>
</
connectionStrings
>
</
configuration
>
When encrypting configuration entries, different encryption providers can be chosen or a custom provider can be used. By default Microsoft is offering two providers: ‘RsaProtectedConfigurationProvider’ and ‘DPAPIProtectedConfigurationProvider’. More details on providers can be found in the MSDN documentation.
In this case, the ‘RsaProtectedConfigurationProvider’ was used, which is also the default provider and no other provider was specified in the command before.
Once the web.config file is encrypted, the user which is defined as the user of the application pool, needs to get the rights to access the encryption keys needed by the ‘RsaProtectedConfigurationProvider’. In this example the user “NT AUTHORITY\NETWORK SERVICE” is defined as the application pool user. The grants to the encryption keys, in this case the ‘NetFrameworkConfigurationKey’, which is the key container specified for the default provider, can be given with the following command:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
Now the configuration file is encrypted and the user defined in the application pool is allowed to use the keys needed by the respective provider. Now what needs to be done in the OpenAccess code? The answer is: Nothing! Everything works out of the box.
More details about how to encrypt configuration files, define custom providers and key management can be found in the respective MSDN documentation.
Ralph Waldenmaier is Senior Software Developer in Telerik OpenAccess ORM