I am developing a web app which requires a username and password to be stored in the web.Config, it also refers to some URLs which will be requested by the web app itself and never the client.
I know the .Net framework will not allow a web.config file to be served, however I still think its bad practice to leave this sort of information in plain text.
Everything I have read so far requires me to use a command line switch or to store values in the registry of the server. I have access to neither of these as the host is online and I have only FTP and Control Panel (helm) access.
Can anyone recommend any good, free encryption DLL's or methods which I can use? I'd rather not develop my own!
Thanks for the feedback so far guys but I am not able to issue commands and and not able to edit the registry. Its going to have to be an encryption util/helper but just wondering which one!
- Encrypting and Decrypting Configuration Sections (ASP.NET) on MSDN
- Encrypting Web.Config Values in ASP.NET 2.0 on ScottGu's blog
- Encrypting Custom Configuration Sections on K. Scott Allen's blog
EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.
Sample on codeproject:
Encryption of Connection Strings inside the Web.config in ASP.Net 2.0
While on the first glance it seems to be straightforward, there are a couple of hurdles I encountered.
So I am providing steps that worked fine for me (to encrypt the appSettings section) using the default crypto provider:
Encrypt sections in the web.config:
- Open Admin command shell (run as administrator!). The command prompt will be on
C:
which is assumed for the steps below.
Further assumed is that the application is deployed on D:\Apps\myApp
- replace this by the path you're using in step 3.
cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319"
, on 32 bit Windows systems use Framework
instead of Framework64
cd /D "D:\Apps\myApp"
Note: The /D
switch will change the drive automatically if it is different from your current drive. Here it will change the path and drive, so the current directory will be D:\Apps\myApp
afterwards.
c:aspnet_regiis -pef appConfig .
You should see this message:
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Encrypting configuration section...
Succeeded!
You can also Decrypt sections in the web.config:
These are the same steps, but with option -pdf
instead of -pef
for aspnet_regiis.
It is also possible to encrypt other sections of your web.config, for example you can encrypt the connection strings section via:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
More details about that can be found here.
Note: The encryption above is transparent to your web application, i.e. your web application doesn't recognize that the settings are encrypted.
You can also choose to use non-transparent encryption, for example by using Microsoft's DPAPI or by using AES along with the Framework's AES Class.
How it is done with DPAPI I have described here at Stackoverflow. DPAPI works very similar in a sense that it uses the machine's or user credential's keys. Generally, non-transparent encryption gives you more control, for instance you can add a SALT, or you can use a key based on a user's passphrase. If you want to know more about how to generate a key from a passphrase, look here.
Use aspnet_setreg.exe http://support.microsoft.com/kb/329290