Encrypting Configuration Data

You can encrypt and decrypt the data in a configuration file's configuration sections. A configuration section contains the configuration information for an application block. The configuration tool allows you to select from the encryption providers that are included in the Machine.config file. Typically, these are the DataProtectionConfigurationProvider, which uses the Windows data protection API (DPAPI), and the RsaProtectedConfigurationProvider, which uses RSA.

If the encrypted configuration file is going to be on only a single server, you can use the DataProtectionConfigurationProvider. If you want to deploy the same encrypted configuration file on multiple servers in a Web farm, you should use the RsaProtectedConfigurationProvider. This provider makes it easy for you encrypt the data on one server computer and then export the RSA private key needed to decrypt the data. You can then deploy the configuration file and the exported key to the target servers, and then re-import the keys.

The user account used for encrypting the file when using the RsaProtectedConfigurationProvider must have the appropriate minimal permissions, which must include read permissions on the NetFrameworkConfigurationKey key container, in order to encrypt and decrypt sections when using the Enterprise Library configuration tools. By default, this includes only administrative accounts.

The appropriate minimal permissions, which must include read permissions, are also required for run time and configuration merges performed when using the configuration tools and working with configuration sections that have been encrypted by using the RsaProtectedConfigurationProvider.

For more information see Creating and Exporting an RSA Key Container on MSDN.


Whenever you change security settings and permissions, be sure that you are aware of any security risks raised by giving elevated permissions.

To encrypt a configuration section

  1. Open one of the Enterprise Library configuration tools.
  2. Open an existing configuration file or create a new one.
  3. Click the chevron arrow at the right of name of the application block whose configuration information you want to encrypt.
  4. In the Properties pane, click the drop-down list for the Protection Provider property.
  5. Select either DataProtectionConfigurationProvider or RsaProtectedConfigurationProvider.

All the settings for the providers, such as where keys are stored, are also in the Machine.config file. You cannot change this file with a configuration tool. Instead, you must modify the file using a text editor.

To decrypt a configuration file, simply open it in the configuration tool. The file is automatically decrypted.