ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

0
votes

I was wondering what the best (most secure) way to encrypt Web.Config files in an ASP.Net MVC 4 Application are? I have some background with developing in-house applications using C#, but we never focused too much on encryption due to other security that was already in place.

EDIT: My host Server is ORACLE if that changes anything? A friend mentioned perhaps using aspnet_regiis.exe after deployment of my code with the '-pe' argument. Anyone have any pros/cons for this method?

EDIT2: ORACLE is a Database, not a Server! Can I go home yet?! >_<

3
asp.net.netasp.net-mvcasp.net-mvc-4encryption
Usually web.config is protected by OS Security configuration for file and folder permissions. If you have some passwords/user id/etc in your web.config, you can use System.Security.Cryptography for encryption of them, and decrypt values on your app initialization and then use them.decho
possible duplicate of Encrypting Web.ConfigCodeCaster
possible duplicate of Encrypting config files for deploymentBrant Bobby

3 Answers

1
votes

The typical way is to use a ProtectedConfigurationProvider to encrypt the sensitive sections. There are several existing implementations. You can also implement your own if needed.

1
votes

I was wondering what the best (most secure) way to encrypt Web.Config files

"Most secure" depends on what threats you are trying to protect against. You can assume that all the standard cryptographic algorithms are secure, but by encrypting web.config, you've simply exchanged the problem of protecting plaintext credentials in web.config for the problem of protecting an encryption key.

Typically you'll use Protected Configuration to encrypt web.config.

  • If you use the DPAPI provider, you'll encrypt using the server's machine key. This means that the encryption can be broken by anyone who can log in to the server. Also by anyone with write access to a folder containing a web site on the server, because they can upload code, say an aspx page with embedded script, that can do the decryption. This is a good choice if:

    • your server is secure (not shared with other untrusted applications, e.g. a hosting environment)
    • you don't want to copy the web.config to other servers (e.g. in a web farm) - it needs to be encrypted independently on each server.

  • Alternatively, if DPAPI doesn't meet your requirements, you should probably use the RSA provider. You can protect the key with an ACL against unauthorized access by other users on the same server, and can share it across multiple servers.

0
votes

You can use the CryptoAPI to encrypt individual configuration values.

You can use the DPAPI to encrypt entire sections.