How to encrypt the Web.Config

In the security session we did I showed in one of the sample how you can encrypt the web.config file by adding code to the global.asax file. The cool part of this is that using this technique you can secure application specific settings like connection strings and other data in the unlikely event that someone is able to get a copy of the configuration file (like by copying it to a thumb drive from the host machine or something similar).

The basic logic is to create a variable that points to a configuration section, then checking that the section is protected (i.e. encrypted). If it isn't, then call the ProtectSection method to encrypt the contents.  The server uses the local DPAPI (Data Protection API) to encrypt the configuration section with a machine specific key, so only that machine can decrypt the contents. The code for this is:


public class Global : System.Web.HttpApplication { protected void Session_Start(object sender, EventArgs e) { EncryptSection("appSettings"); }

private void EncryptSection(string sSection) { Configuration config = System.Web.Configuration .WebConfigurationManager .OpenWebConfiguration (Context.Request.ApplicationPath); ConfigurationSection configSection = config.GetSection(sSection); if (!configSection.SectionInformation.IsProtected) { configSection.SectionInformation.ProtectSection ("DataProtectionConfigurationProvider"); config.Save(); } }

Happy Coding!