<< Why slow? Get YSlow | Home | /congrats brianjo! >>

Securing Web.config

One worry that many have is the information in the web.config file, especially items you might have in your appSettings and/or connectionString sections. It might be older news to some, but you can lock down sections to feel a little safer. (I knew there was something there, but I hadn't researched the code until last week, so it was new for me)

Locking a section:

Configuration config = WebConfigurationManager.OpenWebConfiguration("/");
ConfigurationSection sect = config.GetSection("appSettings");
if (!sect.SectionInformation.IsProtected) {
    sect.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
    config.Save();
}

Unlocking a section:

Configuration config = WebConfigurationManager.OpenWebConfiguration("/");
ConfigurationSection sect = config.GetSection("appSettings");
if (sect.SectionInformation.IsProtected) {
    sect.SectionInformation.UnprotectSection();
    config.Save();
}
The appSettings section is then encrypted with all the joy of XML Encryption.

Before:

<appSettings>
    <add key="someKey" value="someValue" />
    <add key="anotherKey" value="anotherValue" />
    <add key="secretStuff" value="Password=password" />
</appSettings>

After:

<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
        xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod 
           Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                <EncryptionMethod 
                  Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <KeyName>Rsa Key</KeyName>
                </KeyInfo>
                <CipherData>
                    <CipherValue>c4Tk3Jvl2FFj etc.</CipherValue>
                </CipherData>
            </EncryptedKey>
        </KeyInfo>
        <CipherData>
            <CipherValue>xI9gWzS9nOcD/blDgUPX you get the idea</CipherValue>
        </CipherData>
    </EncryptedData>
</appSettings>
Even better is the fact that you can use the ConfigurationManager.AppSettings to read the encrypted values without a problem (so you don't have to keep flipping it back and forth, restarting your process). You can also use aspnet_regiis to encrypt the section, but this seemed like more fun.
Print | posted on Monday, August 20, 2007 11:52 AM

Feedback

# Links (8/21/2007)

left by Member Blogs at 8/21/2007 6:09 PM Gravatar
.NET (Phil Haack) knew How To Validate An Email Address Until (he) Read The RFC PowerShell: Using PowerShell
Comments have been closed on this topic.
Copyright © Kent Sharkey