Encrypt Decrypt IIS Web.config

Introduction

Sensitive information for ASP.NET applications is commonly placed in XML file web.config, which is required to by web application at runtime. This config file has sensitive information for making connection to databases or SMTP server, API keys used within the application or for connecting internal/external web services. This sensitive information like database name, port, username, and password/other information has to be encrypted from being exposed to everyone.

As Web.config may contain sensitive data, it is important the contents of Web.config kept safe and hidden from unauthorized users. By default, any HTTP request to a file with the .config extension is handled by the ASP.NET engine, which returns page not served error. However, what if an attacker is able to exploit to get your Web.config file and he can get into other web services or database using the sensitive information stored in the Web.config?

Configuration provider

ASP.NET includes a protected configuration system for encrypting and decrypting configuration information. This includes methods in the .NET Framework that can be used to pro-grammatically encrypt or decrypt configuration information. The protected configuration system uses the provider model, which allows developers to choose what cryptographic implementation is used.

The .NET Framework ships with two protected configuration providers:

• RSAProtectedConfigurationProvider– uses the asymmetric RSA algorithm for encryption and decryption.
• DPAPIProtectedConfigurationProvider– uses the Windows Data Protection API (DPAPI) for encryption and decryption.

Encrypting Sensitive data

We will create a custom data provider based on RSAProtectedConfigurationProvider, which will encrypt any sensitive information stored in Web.config. IIS web server at runtime is cable of decrypting the sensitive information stored in Web.config to run web applications.

Below shows the complete process of encryption and decryption of Web.config.

Steps to Encrypt Config File

Here are the steps to encrypt config file.

1. Take web.config file

2. Create custom config provider using RSAProtectedConfigurationProvider 

3. Appended Web.config file with Custom Data Provider. 

4. Encrypt Web.config file using Custom Data Provider 

All these steps are achieved using the EncryptConfigs tool

Note: Delete button is provided to delete created custom provider if its not required.

 Download Encryption Tool.