I know that ppl have already asked questions regarding encrypting web.config.

im also trying to encrypt my test config file, but im getting this error.

aspnet_regiis -pef "connectionStrings" "C:\encryptedWeb.config" Encrypting configuration section... The configuration for physical path 'C:\EncryptedWeb.config' cannot be opened. Failed!

I just want to know, what could be reasons that it failed.

I got the answer, it was the readonly property of the web.config which was the problem. After I removed the readonly It worked like a charm.

for the command "aspnet_regiis -pef" the path of configuration file is the physical path (Not virtual) and also it is the path of directory/folder where web.config resides. So one should not include the name of file in path e.g.

if your web.config path is at D:\MyConfiguration\web.config then while encrypting/decrypting you will use it as follow:

encrypt:

aspnet_regiis -pef [sectionName] "D:\MyConfiguration"

decrypt:

aspnet_regiis -pdf [sectionName] "D:\MyConfiguration"

I know this is old, but I've just had the same issue and none of the other answers got the problem.

You're not supposed to put the filename in the path, and the file MUST be called web.config. So for your example, if your web.config file is actually in C:\ you would put:

aspnet_regiis -pef "connectionStrings" "C:\"

and your file MUST be called web.config as the tool will only look for that file.

For those people whose file isn't in C:\ you'll need to put the full path to the file (root of the site). You'll also need to cd into the directory containing the aspnet_regiis.exe file or put the full file path for the tool as well:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pef "ConnectionStrings" "C:\Ghron\Projects\Company\trunk\project1\project1"

Also, some of the other answers are valid points - the parameters are case sensitive, so your paths and section names must be in the right case. I wasted about 20 minutes using "ConnectionStrings" instead of "connectionStrings" (lower case c).

The Sections are CASE SENSITIVE.

Do not Add \ at the end of the path (no web.config needed).

You don't need to do it straight on a site; instead, copy the file to any location.

Encrypting:

aspnet_regiis -pef "SECTIONTOENTRYPT" "d:\tempEnCrypt" -prov WhateverProviderYouAreUsing 

Decrypting:

aspnet_regiis -pdf "SECTIONTOENTRYPT" "d:\tempEncrypt"

You can use this to encrypt an app.config as well, just rename the file for the encryption/decryption as web.config

Take a look at this , see if you set it up correctly

http://msdn.microsoft.com/en-us/library/ms998283.aspx

A possibiliity is to specify the site with -site "SiteName" otherwise it will use the default web site.

You could try and use this tool to encrypt you web config

I was experiencing the same problem and here's what worked for me:

1. add the aspnet_regiis tool's folder path to your %PATH% variable. This ensures that the tool is accessable from any folder in your command line. See this page for a brief explanation of how to add %PATH% variables: http://geekswithblogs.net/renso/archive/2009/10/21/how-to-set-the-windows-path-in-windows-7.aspx
2. navigate to your web root folder (don't know if this is necessary but that's where I was navigated when I executed the command)

3. execute the command with the -pe argument and the -app argument like such:

   aspnet_regiis -pe {section to encrypt} -app "{path from root folder to app, like: "/myappname", use quotes}

I am having same issue while encrypting configuration file from a web site. Provide command to encrypt from a site and not default website. Below command works when application is in defaultwebsite: aspnet_regiis.exe -pe "connectionStrings" -app "/sitename" -prov "DataProtectionConfigurationProvider"

I got an "illegal characters in path" error that went away when I removed the double quotes that surrounded my path name. Doesn't make any sense, but there you are.

I also wrote a PowerShell script to do the encrypt/decrypt without dealing with aspnet_regiis : https://github.com/mhenry1384/EncryptDecryptConfig

Encrypt/Decrypt web.config

• source is taken from this link https://mywebanecdotes.com/2016/09/17/encrypting-credentials-in-app-config-for-multiple-machines/
• Firstly, if you have App.config, you need to rename to Web.config. And when done rename it back. This is because aspnet_regiis.exe recognize only Web.config file.
• Then create a custom attribute SecuredSettings(any name is fine) either in you App.config or Web.config file.

<configuration>
<configSections>
   <section name="SecuredSettings" type="System.Configuration.NameValueSectionHandler" />
 </configSections>
 <SecuredSettings>
      <add key="pwrd" value="password" />
 </SecuredSettings>
 <configProtectedData>
   <providers>
     <add keyContainerName="MyCustomKeys"
              useMachineContainer="true"
              name="MyEncryptionProvider"
              type="System.Configuration.RsaProtectedConfigurationProvider"/>
   </providers>
 </configProtectedData>

</configuration>

• In C# you can retrieve these values as you would do it normally. eg:

var attr = ConfigurationManager.GetSection("SecuredSettings") as NameValueCollection;
var value = attr["pwrd"];

• The rest is ecrypting or decrypting
• Run cmd As Administrator , and locate to C:\Windows\Microsoft.NET\Framework\v4.0.30319
• "Create a public/private RSA key pair with a specfic container name. They should also be marked as exportable (otherwise what is the point!)"
• aspnet_regiis.exe -pc MyCustomKeys -exp
• "Grant permissions for accounts to access the container"
• aspnet_regiis.exe -pa MyCustomKeys "NT AUTHORITY\NETWORK SERVICE"
• "The following line will now encrypt your section (the pwdr value). The -pef switch is telling the application to look for a web.config file and to use provider that is declared in the beginning (which is using type RsaProtectedConfigurationProvider)"
• aspnet_regiis.exe -pef "SecuredSettings" "C:\DEV\ConsoleApp\DEX" -prov MyEncryptionProvider
• Export those Keys to another machine (if needed)
• aspnet_regiis.exe -px MyCustomKeys keys.xml -pri it will generate keys.xml file in C:\Windows\Microsoft.NET\Framework\v4.0.30319
• copy this file and put it in another machine where you would like to use it, to the same location C:\Windows\Microsoft.NET\Framework\v4.0.30319, and run:
• aspnet_regiis -pi MyCustomKeys keys.xml
• after you can delete the file from both sides.
• Don't forget to rename Web.config to App.config, if you did so at the beginning.
• TO Decrypt the file:
• aspnet_regiis.exe -pdf "SecuredSettings" "C:\DEV\ConsoleApp\DEX"