Encrypting <appSettings> tags in web.config file

3
votes

I have recently come across this article which describes the process of encrypting the connectionString tags in the web.config file:

http://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/

I have used the same method to encrypt the appSettings tag in the web.config file containing my encryption key.

My question is, if I give the project to someone else who will run it on a different machine, would they be able to use the reverse process to decrypt the appSettings tag in the web.config file using aspnet_regiis tool? If not, will the project still work on his machine?

This is how I am retrieving the encryption key in my code:

string block_size = ConfigurationManager.AppSettings["rgbIV"];
string encryption_key = ConfigurationManager.AppSettings["key"];
2
c#.netencryptionkey
I'm betting it uses some salt value from the encrypting server in order to ensure that it can't be decrypted on another machine. Read the docs I reckon...Charleh

2 Answers

4
votes

Docs confirm that depending on the encryption provider I might be right:

http://www.asp.net/web-forms/tutorials/data-access/advanced-data-access-scenarios/protecting-connection-strings-and-other-configuration-information-vb

Note: Since we are using the DPAPI provider, which uses keys specific to the computer, you must run aspnet_regiis.exe from the same machine from which the web pages are being served. For example, if you run this command line program from your local development machine and then upload the encrypted Web.config file to the production server, the production server will not be able to decrypt the connection string information since it was encrypted using keys specific to your development machine. The RSA provider does not have this limitation as it is possible to export the RSA keys to another machine.

So for RSA some keys are used - and without these keys the 3rd party will have a useless mess of data.

2
votes

There are two types of encryption: symmetric and asymmetric.

Given you release an encrypted version of web.config symmetric encryption will not be practically possible to decrypt as it is machine-specific (encrypted on one machine, can only be decrypted on that particular machine or even by specific user).

Asymmetric encryption (RSA) allows you to securely share web.config. Given you provide a private key, the recipient will be able to decrypt the content. If you do not share the private key it is practically impossible to get anything but random junk.