Encrypting appSettings in web.config

While on the first glance it seems to be straightforward, there are a couple of hurdles I encountered.

So I am providing steps that worked fine for me (to encrypt the appSettings section) using the default crypto provider:

Encrypt sections in the web.config:

  1. Open Admin command shell (run as administrator!). The command prompt will be on C: which is assumed for the steps below.
    Further assumed is that the application is deployed on D:\Apps\myApp - replace this by the path you're using in step 3.
  2. cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319", on 32 bit Windows systems use Framework instead of Framework64
  3. cd /D "D:\Apps\myApp"
    Note: The /D switch will change the drive automatically if it is different from your current drive. Here it will change the path and drive, so the current directory will be D:\Apps\myApp afterwards.
  4. c:aspnet_regiis -pef appConfig .

You should see this message:

Microsoft (R) ASP.NET RegIIS version 4.0.30319.0 Administration utility to install and uninstall ASP.NET on the local machine. Copyright (C) Microsoft Corporation. All rights reserved. Encrypting configuration section... Succeeded!

You can also Decrypt sections in the web.config: These are the same steps, but with option -pdf instead of -pef for aspnet_regiis.

It is also possible to encrypt other sections of your web.config, for example you can encrypt the connection strings section via:

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"

More details about that can be found here.


Note: The encryption above is transparent to your web application, i.e. your web application doesn't recognize that the settings are encrypted.
You can also choose to use non-transparent encryption, for example by using Microsoft's DPAPI or by using AES along with the Framework's AES Class.
How it is done with DPAPI I have described here at Stackoverflow. DPAPI works very similar in a sense that it uses the machine's or user credential's keys. Generally, non-transparent encryption gives you more control, for instance you can add a SALT, or you can use a key based on a user's passphrase. If you want to know more about how to generate a key from a passphrase, look here.


  • Encrypting and Decrypting Configuration Sections (ASP.NET) on MSDN
  • Encrypting Web.Config Values in ASP.NET 2.0 on ScottGu's blog
  • Encrypting Custom Configuration Sections on K. Scott Allen's blog

EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.

Sample on codeproject:

Encryption of Connection Strings inside the Web.config in ASP.Net 2.0