Encrypting configuration information within the web.config

This article describes how to encrypt sensitive information that is stored in a web.config file using the standard ASP.NET feature Protected Configuration.

Notice that using this feature is different from the approach described in Encrypting configuration files. The latter uses an Smartsite iXperion specific implementation and is only intended for Smartsite iXperion specific configuration files (all configuration files starting with Smartsite).

And although the end result is very similar, you can not (at least at this moment) use the Config Editor or ConfigProtect to encrypt/decrypt the web.config.

Unencrypted section

When (a section within) the web.config file is not encrypted, everything is stored in a readable format. The example below shows a non-encrypted membership section.

XML CopyCode image Copy Code
<membership defaultProvider="SqlMembershipProvider" userIsOnlineTimeWindow="15">
  <providers>
    <clear />
    <add applicationName="Smartsite" name="SqlMembershipProvider" 
       type="Smartsite.Security.Authentication.SqlMembershipProvider, Smartsite.Security" enablePasswordRetrieval="true" 
       enablePasswordReset="true" passwordFormat="Clear" requiresQuestionAndAnswer="false" writeExceptionsToEventLog="true" />
  </providers>
</membership>

The SqlMembership Provider in this example doesn't contain highly sensitive information, such as user names, passwords or connection strings. However, if you are using the Active Directory Membership Provider, the definition for this provider does contain username/password information which shouldn't be stored in a readable format.

Encrypted section

Storing sensitive information within the web.config in a non-readable format improves the security of your web site by making it difficult for an attacker to gain access to the sensitive information, even if an attacker gains access to the web.config file. The same example as shown above, but this time in encrypted format looks like this:

XML CopyCode image Copy Code
<membership configProtectionProvider="RsaProtectedConfigurationProvider">
   <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
    xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
     <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
       <KeyName>Rsa Key</KeyName>
      </KeyInfo>
      <CipherData>
       <CipherValue>dJsYK/IBgBIlHx9G9GI6cDt9ZRpvulA+rwPF4A8cl5XYyiaSUspOa7oceWxR869aHY/MEzOkfaP/7DaQNmXos6ahJMt1wWzGybj0l+T0aPODw+ss9LNwgLCUpAH0qJJn1fxL9jIZV/Tkj/Ac9ByeV5AoZbnUn6sD09WuVe953LY=</CipherValue>
      </CipherData>
     </EncryptedKey>
    </KeyInfo>
    <CipherData>
     <CipherValue>HM7w8YfYRjxvIVKxux1RT3Uq/bbdvLFzIG1fH+qqxlozIyJkpjl3/Rxe83a17ca4oXF3GQJXumK6tRywVpdiclSr/ZlEjhNmT9wm0cXogCoSybZCG5yCOCKiXy2EzZBUlMshjYxFwUXYMiZwLc1bAq22cMLVMfrUN9uv+NwBadbdNGZDA420/1TVRNS1yr4AhInJZUQyQaBnA/JjVEFCyogBhM6Z6vk7nhWsKTfl/AM+A9d5JDlHaU4RMk9pWWV7f2ztXX3KGNFSuCnWw6/ib1GlDp3plzBFF6m8q1AOf4kiJm4H/e/HRFCRvypo3OyA5Aiq2StCTQIPykqiKqHCK9wHCEvmXtD5aLj5afOzhFbaibvtz2ZANTyjdtADOSCYkxLPPuhMb/W/tMgL2aNHO8sPbFfTLfP8ttOq7DlTIgkIRmmuGgNjG0XLD9haxkmYijYJqQcjHW/Xc4GN5XW8I/kJ1bz9Sn06IHGbMfVd++cNs62c17gMwKGBAwFmvTi6CGPwsyVaOv/usFEYGgoJ0PFs6yr2ds7Rh4Z7kvjlz601CAV934ddoCrKR75W3NhUb97ZB9qwt86PRZ0C9BKl9UKugUKaTSqFM5VSJICcFvY=</CipherValue>
    </CipherData>
   </EncryptedData>
</membership>

A configuration file that encrypts a section using Protected Configuration does not show the sensitive information in clear text, but instead stores it in encrypted form. Since this is a standard ASP.NET feature, you don't need to worry about decryption, the .NET Framework will automatically decrypt the encrypted sections whenever the web.config is needed (within IIS).

Managing Protected Configuration

You manage Protected Configuration using the ASP.NET IIS Registration Tool (aspnet_regiis.exe), which is located in the %SystemRoot%\Microsoft.NET\Framework[64]\versionNumber folder.
To use this tool, open a command prompt and change the directory to the appropriate .NET Framework folder.

When you want to encrypt the membership section, you would need to execute the following command:

  CopyCode image Copy Code
aspnet_regiis -pef "system.web/membership" "d:\Sites\EmptySix\www"

The -pef option encrypts the specified configuration section (first parameter) of the web.config file located in the specified physical directory (second parameter). The result should be:

  CopyCode image Copy Code
Encrypting configuration section...
Succeeded!

This example uses the default RsaProtectedConfigurationProvider (recommended).

To decrypt the section, execute the following command:

  CopyCode image Copy Code
aspnet_regiis -pdf "system.web/membership" "d:\Sites\EmptySix\www"

The result should be:

  CopyCode image Copy Code
Decrypting configuration section...
Succeeded!

 

Granting Read Access to an RSA Encryption Key

Before ASP.NET can decrypt encrypted information in the web.config file, the identity of the ASP.NET application (the application pool identity) must have read access to the encryption key that is used to encrypt and decrypt the encrypted sections. When using the default RsaProtectedConfigurationProvider provider that is specified in the machine.config, the default RSA Key Container is named NetFrameworkConfigurationKey.

To do so, the aspnet_regiis tool should be used. When the application pool(s) of your site are configured to use the Network Service identity, the following command grants this account read access to the machine-level NetFrameworkConfigurationKey RSA Key Container:

  CopyCode image Copy Code
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"

The result should be:

  CopyCode image Copy Code
Adding ACL for access to the RSA Key Container...
Succeeded!

When using Smartsite impersonation (recommended!), you also need to grant read access on the RSA Key Container for every (windows) account specified within the Smartsite.Security.config.
For example:

  CopyCode image Copy Code
aspnet_regiis -pa "NetFrameworkConfigurationKey" "iXperion_Guest"
aspnet_regiis -pa "NetFrameworkConfigurationKey" "iXperion_Visitor"
aspnet_regiis -pa "NetFrameworkConfigurationKey" "iXperion_User"
aspnet_regiis -pa "NetFrameworkConfigurationKey" "iXperion_Admin"

To remove the permission for a specified user to access the specified key container, execute the following command:

  CopyCode image Copy Code
aspnet_regiis -pr "NetFrameworkConfigurationKey" "iXperion_Guest"

The result should be:

  CopyCode image Copy Code
Removing ACL for access to the RSA Key Container...
Succeeded!

 

Config Editor

The Config Editor currently doesn't support this kind of config protection. Therefore, sections which are encrypted this way cannot be read and consequently configuration settings included in such a section can not be read by the Config Editor. This could lead to errors or false warnings when validating your site.

When you have used Protected Configuration within your web.config, you must therefore first decrypt the encrypted sections before using the Config Editor. After having saved any changes, close the Config Editor and encrypt the sections again.