Select a Machine Key Encryption Method (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Select a machine key encryption method to provide added security for the machine key you create.

The following encryption methods are available:

  • Advanced Encryption Standard (AES) is relatively easy to implement and requires little memory. AES has a key size of 128, 192, or 256 bits. This method uses the same private key to encrypt and decrypt data, whereas a public-key method must use a pair of keys.

  • Message Digest 5 (MD5) is used for digital signing of applications, for example, mail messages. This method produces a 128-bit message digest, which is a compressed form of the original data. MD5 can provide some protection against computer viruses and programs that mimic a benign application but are actually destructive. These programs are known as Trojan Horses.

  • Secure Hash Algorithm (SHA1), the default, is considered more secure than MD5 because it produces a 160-bit message digest. You should use SHA1 encryption whenever possible.

  • Triple Data Encryption Standard (TripleDES) is a minor variation of Data Encryption Standard (DES). It is three times slower than regular DES but can be more secure because it has a key size of 192 bits. If performance is not your primary consideration, consider using TripleDES.


For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Machine Keys Feature Requirements (IIS 7).

Exceptions to feature requirements

  • None

To select a machine key encryption method

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To Use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Machine Key.

  3. On the Machine Key page, select an encryption method from the Encryption method drop-down list. The default encryption method is SHA1.

  4. In the Actions pane, click Apply.


To select a machine key encryption method, use the following syntax:

appcmd set config /commit:WEBROOT /section:machineKey y /validation:MD5|SHA1|3DES|AES

The variable validation is the encryption method that is used by the application services. The default value is SHA1. For example, to set the encryption method to MD5, type the following at the command prompt, and then press Enter:

appcmd set config /commit:WEBROOT /section:machineKey /validation:MD5


When you use Appcmd.exe to configure the <machineKey> element at the global level in IIS 7, you must specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).


The procedure in this topic affects the following configuration elements:

  • <machineKey> element, defined in Machine.config file.

For more information about IISĀ 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.


Use the following WMI classes, methods, or properties to perform this procedure:

  • MachineKeySection class

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also


Configuring Machine Keys in IIS 7