Sunday, July 24, 2011

How to encrypt the connection string in web.config in Asp.net Web Application or Site and SharePoint Web Application

In order to encrypt sensitive information in the web.config of Asp.net Web application/Site or SharePoint Web application like connection String which include user name and password or any data in appSettings so to secure your data easily you can use .net 2.0 tool called (aspnet_regiis.exe).


In this post I will show you how to encrypt/decrypt appSettings data in Web.config using the aspnet_regiis tool.

So first go to command prompt of .net 2.0 which located in this path:

C:\Windows\Microsoft.NET\Framework\v2.0.50727>


Then I have a Test Web application with this section in web.config

<appSettings>
    <add key="MyPassword" value="1234"/>
</appSettings>


Now to encrypt this data, just run the following command:


aspnet_regiis -pef "appSettings" "D:\CustomFunctoids\TestWeb\TestWeb"

first parameter : name of section you want to encrypt it
second parameter : the folder directory of the web application which contains the web.config



So you will get a succeeded message tell you that the encryption done.
Now check your web.config /appSettings section and you will see something like this:

<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>BPLmgrIVZKTDerhKlyktxqnn5iybr8aO0IInylE8uT1Pe3zCB5y9DIHqlllH3e0sz6TtJaU/wS0oEiPIWMMO0BL/BPdj9E5Onq4nYiA2r/zBPCR6H0nYhk9/uMjao4YDcg6daask65Y8Mx1RBO/xM/IKzdNGXICpiF09Mrwrv1Q=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>kziM2nK5Ej6kg7hxnN2shTB8EiMW/I5jrgQRJAIRD5gSV/KG6iYslstFz+r+6Wk9OKXKP2zUhDRl42++HOWbtjqJn5XjmHuzy3tHy+7YMvRL6CNY7lXQTQ==</CipherValue>
      </CipherData>
    </EncryptedData>
  </appSettings>


So it encrypted by using RsaProtectedConfigurationProvider algorithm
Now if your browse your site and you get this error :

"Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not be opened"


this means the user used by the Asp.Net web site does not have access to read this key container so to know what the name of user ?  you can create a simple .aspx page and place this code inside it
to determine the user account or identity under which ASP.NET runs by retrieving the current WindowsIdentity name.


<%@ Page Language="C#" %>
<%
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
%>


So this page will print the current user used to run the web site so in my PC I got this result "VAIO-PC\VAIO"
now to grant this user ability to read this encrypted data run the following command


aspnet_regiis -pa "NetFrameworkConfigurationKey" "VAIO-PC\VAIO"


Now what if you want to decrypt the data to modify it so how to decrypt the appSettings section ?
run the following command to return to the normal status (Plan text)

aspnet_regiis -pdf "appSettings" "D:\CustomFunctoids\TestWeb\TestWeb"


Notes:
1.       You need to run this in all front end servers
2.       No need to any changes in your code because .net code can recognize this changes
3.       You can do the above steps by .net code

2 comments:

إسماعيل عنجريني (Ismaeel Enjreny) said...

I think it is very important topic, all of us forget to do it.

I have a question:
Is "System.Security.Principal.WindowsIdentity.GetCurrent().Name" it the same of application pool account? I believe it is, if yes let us take from inetmgr (IIS Manager).

Thank you Fadi and I am waiting more

Fadi Ahmad Abdulwahab said...

yes but in case there is no identity impersonate="true" in the web.config.

[Note from Microsoft Site]
By default, on Windows Server 2003 with impersonation for an ASP.NET application disabled in the Web.config file, the identity under which the application runs is the NETWORK SERVICE account. On other versions of Windows, ASP.NET runs under the local ASPNET account