Monday 9 May 2016

Encrypt Web config's section for ASP.NET Website

Hi guys, Welcome back, i was reading how to make website more secure, while studding i found, we can encrypt the sections of web.configs. i thought it is an interesting topic to do some R&D on. i started to work on it and now i am able to encrypt sections of web.config file.

Lets start to encrypt the web.config sections, i am encrypting to connectionString section in this article.

Steps to do a simple demo:

1. Create a new Website
2. add connectionstring element into it and connect to any DB.
3. open "Developer Command Prompt for Visual Studio" as administrator privilege.
4. change directory of command prompt to specific version of .net in which your website is as for this example i have created website in 4.5 version:

so i have changed the command directory to

C:\Windows\Microsoft.NET\Framework\v4.0.30319

5. add the following section into web.config under configuration tag:

<configProtectedData defaultProvider="SampleProvider">
<providers>
  <add name="SampleProvider" 
    type="System.Configuration.RsaProtectedConfigurationProvider, 
          System.Configuration, Version=2.0.0.0, Culture=neutral, 
          PublicKeyToken=b03f5f7f11d50a3a,
         processorArchitecture=MSIL"
    keyContainerName="SampleKeys" 
    useMachineContainer="true" />
</providers>
6. Now in command prompt run the following command

aspnet_regiis -pef "connectionStrings" "E:\New folder\WebApplication2\WebApplication2"

7. now check your web.config file, you will find the connectionString section is changed to some identical format as given below:

<connectionStrings configProtectionProvider="SampleProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
  xmlns="http://www.w3.org/2001/04/xmlenc#">
  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <KeyName>Rsa Key</KeyName>
      </KeyInfo>
      <CipherData>
        <CipherValue>BHvfwKGyvl2xYIxhRwvNLSwHzLgwBCSgMSSjEGiLK5zb9+K2u2WRgOSpMcjcIuJZCBThW5Ob+cOFZLdhHgPN5PAnDi0cTmoT+mk4fgPoJn2FMaND1+wcxjWtzunK9ipjnSWjNqZtbmbcj7LYppR2EOTwHAWCgZFTPIoqRV01Now=</CipherValue>
      </CipherData>
    </EncryptedKey>
  </KeyInfo>
  <CipherData>
    <CipherValue>wunR4sanau6/KBtTDqpP/KSaI5BA9Tj7AqywCHkHgQlNEdHEUHN7W0qfGR2soJ9cb7KMU2J6mDGMd08MzHvbln66RynDiQus+CrrX4Xzer2xZmqEZiEC+DmEWmVtvhZ+UjeTR1KE5CRH4W5IM8MKCMMdAKm9szqwNhMjobIsXbiulPG38qIkUHmhknyNaA34VzBthPFotSedpm4+zK1svUBjf+mE7BqksPBXCQk2SPaFsQ8uv89Mesuxkkx5zMmJZxVPkqseo/mOfcU5DyF8GbzHMHihpVe3Uc4pWPDAMu9yvj7wsW9S62z8TCb7UUeKnys6Nf0bug0v8k8BMRi6RBzBbACOtmByLot6AhtVKf+VDoUzkNSusXMWckZnD44gpV3SFNIQWMFLWK9bCZN76TqmsoeUzEJMuCuBpT+YpTA5gePD3uouUw==</CipherValue>
  </CipherData>
</EncryptedData>

that's all..Now no body will come to know what is the DB server what is the DB name and what are the creds.

And another Good thing, do are not supposed make any changes in connecting to DB from code. connect it as we do normally, no extra efforts are needed.

BBYE for Now.. will come back with any new article. till then Happy Coding...!!!!