If you are a ASP.NET developer then you know that all the information is stored in web.config file and its is plain file which can be easily open in any text Editor like Notepad or word pad . We store all the important information like connection strings, user names, passwords.That means we are handling sensitive information in a unsafe text file.
but we can easily encrypt sensitive information in configuration files
ASP.NET 2.0 introduced Protected Configuration model that allows you to encrypt data using two Protected Configuration Providers. They are:
RSAProtectedConfigurationProvider: This is the default provider and uses the RSA Public Key Encryption algorithm to encrypt and decrypt data. DataProtectionConfigurationProvider: This provider uses Windows Data Protection Application Programming Interface (DPAPI) to encrypt and decrypt data.
Next step: though coding
1) sample web.config file
Code: Select all
<configuration>
<appSettings/>
<connectionStrings>
<add name="NorthwindConnectionString" connectionString="Data Source=ARAS02-XP;Initial Catalog=Northwind;User ID=sa"
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="true"/>
<authentication mode="Windows"/>
<pages theme="Theme1" />
</system.web>
</configuration>
2). Add a new form and in code behind
Code: Select all
using System.Web.Configuration;
using System.Web.Security;
using System.Configuration;
public void EncryptConnString()
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
config.Save();
}
}
when this section runs it will produce a ne encrypted web.config
Code: Select all
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings/>
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>jWmekeNh1TC5Bf5RG2RWo8TU0qLoSF9IdSSpWMgiAjeCUqvPfo/XQr/zzLz4kdHUvCbbrSPX92YOpfv0YKSKO1mlEwE9LA57W9oo/0H7E8feO0flheoNdow9Tw8RVaM7meM8CqODladWD8Vr8G9mk17gWBFByWboIBMzWQ6Rp7U=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>7goUfwnWEqyrTFZXMBcD2eW+15j+eYyzq/YS/GpMX2NTMOrfJ6BHFy4Xr+kGEhLsckrGARfbQFsNLctL7wPBAMucnS0g2nbeMLKH1PPGjvBXjsdrvDUJ50w9CyvQ0dOqBb2Kdx0aEvmxCfCy/xLbkYPE6t/LGjVHUJFySVs4SjWhR4sLxzkxuTRSA3kq+2woobOfzIUSqOsO035SYiOYynQf2QcfodYZgT4U2KVsflUHR6Zk/iiTIh0+t1y0cMioFHkkHM8NDdjnYHToNhAP67GrulM/nAsTiMuAW4ElX/MomWAFngKmJvDqo8oKVWXY</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
<system.web>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<compilation debug="false" />
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Windows" />
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
</system.web>
</configuration>
for bringing the configuration file to its original state then run the following method
Code: Select all
public void DecryptConnString()
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
config.Save();
}
}
