Secure Your .NET Config Files — Part 1 — (Encrypting Web.Config)
With data breaches becoming more common, ensuring security is an important part of software development. Clients need to make sure their data is safe from security threats and following the standards of encryption. Web.config contains keys that hold data and usually, these keys contain sensitive information like the database configuration, credentials, etc. Failing to secure this information is like giving the hackers a golden chance to steal your sensitive data.
Web.config is presented in an understandable XML format that contains application-wide data such as database connection strings, custom error message, cultural settings, custom configs, etc.
Web.config files are protected by IIS, so clients cannot access it. If you try to retrieve an existing http://mydomain.com/Web.config file, you’ll be notified with an “Access denied” error message.
IIS monitors the Web.config files for changes and caches the contents for performance reasons. There’s no need to restart the Web server after you modify a Web.config file.
Encrypting the Web.config
Step 1: Open your command prompt
Step 2: Provide the path where the .Net Framework is installed
ex: cd C:\Windows\Microsoft.NET\Framework\v2.0.50727
Step 3: Syntax to encrypt the Web.config
aspnet_regiis -pef “<section>” “<Path of WebConfig>”
Here let us encrypt the <appSettings> under <configuration>
· aspnet_regiis : The ASP.NET IIS Registration Tool (Aspnet_regiis.exe) allows an administrator or installation program to easily update the script maps for an ASP.NET application to point to the ASP.NET ISAPI version that is associated with the tool.
Also used for encrypting machine / web.config and custom configuration files.
· Pef : Encryption command
· Pdf : Decryption command
ex: aspnet_regiis -pef “appSettings” “ C:\Project\Calculator”
Note: The section tags are case sensitive, you have to provide the section tag name exactly as how it is in the web.config.
On submitting the script, you will be provided with a success message.
Now if you open your web.config, you would be able to see that your data has been encrypted. You will be able to see the Cipher Data. Since the key is private and RSA encrypted, you can only decrypt the file from the machine which you have encrypted.
You do not have to write code to decrypt the config to read the content. But, if you need to modify the content in the web.config, or view the data in the file, you can decrypt the config file using the ‘pdf’ command.
ex: aspnet_regiis -pdf “<section>” “<Path of WebConfig>”
Closing Remarks
In this article, I have touched one of the many ways of securing your data and hiding them from the outside world. Let us make our projects more secure and thereby enhancing the trust of our clients and users.
Here is a link to Part 2
