Posted by: Cirilo Meggiolaro | 12/18/2008

Tip of the day #65 – Encrypting a section in a config file

Today’s tip is not a new functionality but talk about application security always worth. One of the most common way to store parameters used by .NET applications is to store them in config files under tags like appSettings or ConnectionStrings.

Encrypting a web.config file

Let’s check how to encrypt a config section inside a web.config. The classes are available under the System.Web.Configuration namespace. To achieve this goal you’ll have to perform the following steps:

  • Get an instance of the web.config file: This task must be performed using the OpenWebConfiguration static method available under the WebConfigurationManager class. The config file must be provided;

WebConfigurationManager.OpenWebConfiguration(configPath);

  • Get an instance of the config section: Once you have a valid instance of the config file, you may use the GetSection method passing a section name as parameter to retrieve a valid instance of a ConfigurationSection object;

GetSection(sectionName);

  • Protect the section: Having the configuration section object in hands it’s time to protect the section using the SectionInformation.ProtectSection method available under the configuration section object. A protection data provider name must be supplied. There are two options: DataProtectionConfigurationProvider (uses DPAPI to encrypt and decrypt data) and RSAProtectedConfigurationProvider (uses a RSA public key to encrypt and decrypt data. It’s the default option);

configSection.SectionInformation.ProtectSection(“DataProtectionConfigurationProvider”);

  • Save the changes: Using the Save method under the config object you are committing the changes to the web.config file. Two overloads are available:

Save();

Save(ConfigurationSaveMode);

The code must be similar to the following:

public static void Encrypt(string sectionName)
{
    /// Retrieves an instance of the web.config file based on a path.
    Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

    if (config != null)
    {
        /// Retrieves a config section block from the config file
        ConfigurationSection configSection = config.GetSection(sectionName);

        /// If the section has been retrieved and the section is not protected.
        if ((configSection != null) && (!configSection.SectionInformation.IsProtected))
        {
            /// Protect the section using the built-in DataProtectionConfigurationProvider object
            configSection.SectionInformation.ProtectSection(“DataProtectionConfigurationProvider”);

            /// Save the changes.
            config.Save(ConfigurationSaveMode.Full);
        }
    }
}

Decrypting a web.config file

The only difference between the encrypt and decrypt process is that instead of use the ProtectSection method, we need to use the UnprotectSection without any parameter.

The code to decrypt the file is displayed below:

public static void Decrypt(string sectionName)
{
    /// Retrieves an instance of the web.config file based on a path.
    Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

    if (config != null)
    {
        /// Retrieves a config section block from the config file
        ConfigurationSection configSection = config.GetSection(sectionName);

        /// If the section has been retrieved and the section is protected.
        if ((configSection != null) && (configSection.SectionInformation.IsProtected))
        {
            /// Protect the section
            configSection.SectionInformation.ProtectSection();

            /// Save the changes.
            config.Save(ConfigurationSaveMode.Full);
        }
    }
}


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: