Encrypt Your Web or Application Configuration File Data in .NET

Web Farm Scenario

You can use RSA encryption in Web Farms because you can export RSA keys. You need to do this if you encrypt data in a Web.config file prior to deploying it to other servers in a Web Farm. In this case, the private key required to decrypt the data must be exported and deployed to the other servers.

Note: Assuming we have a SharePoint web application at port 8008 and we need to encrypt the <appSettings> section, having key APP_KEY valued as APP_VALUE.

In Source front end server

Use the following procedure:

  1. Run the following command form the command prompt to create a custom RSA encryption key:

    aspnet_regiis -pc “CustomKeys” –exp

    If the command is successful, you will see the following output:

    Creating RSA Key container…
    Succeeded!

  2. Add the following new section to the web.config at port 8008.
    1. <configProtectedData>  
    2.    <providers>  
    3.       <add keyContainerName="CustomKeys"   
    4.            useMachineContainer="true"  
    5.            description="Uses RsaCryptoServiceProvider to encrypt and decrypt"  
    6.            name="CustomProvider"      type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />  
    7.    </providers>  
    8. </configProtectedData>  
  3. Run the following command in the command prompt.

    aspnet_regiis -pef “appSettingsC:\inetpub\wwwroot\wss\VirtualDirectories\8008″ -prov “CustomProvider”.

    If the encryption is successful, you will see the following output:

    Encrypting configuration section...
    Succeeded!



    Note: This step will encrypt the appSettings section. Remember, you don't need to worry about the .NET code fetching data from the appSettings section. There will not be any change.

  4. Grant access to the ASP.NET application pool identity. Run the following command in the command prompt.

    aspnet_regiis -pa “CustomKeys” “domainname\username”

    Here, domainname\username is the application pool administrator.

  5. Run the following command from a .NET command prompt to export the custom RSA encryption key.

    aspnet_regiis -px “CustomKeys” “C:\CustomKeys.xml” -pri

  6. Now transfer the CustomKeys.xml and web.config files to another front-end server.

In Destination front end server

Use the following procedure:

  1. Deploy the application and the encrypted Web.config file onto this server computer. Also copy the CustomKeys.xml file to a local directory on the other server, for example to the C:\ directory.

  2. In Web.config, basically you need to add a new section and replace the encrypted section (for example In this case, replace <appSettings> with the encrypted one and add the following new section).
    1. <configProtectedData>  
    2.    <providers>  
    3.       <add keyContainerName=”CustomKeys”  
    4.          useMachineContainer=”true”  
    5.          description=”Uses RsaCryptoServiceProvider to encrypt and decrypt”  
    6.          name=”CustomProvider” type=”System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />  
    7.    </providers>  
    8. </configProtectedData>  
  3. On the destination server, run the following command from a command prompt to import the custom RSA encryption keys:

    aspnet_regiis -pi “CustomKeys” “C:\CustomKeys.xml”

    If the command is successful, you will see the following output:

    Importing RSA Keys from file…
    Succeeded!


    Note: After you have finished exporting and importing the RSA keys, it is important (for security reasons) to delete the CustomsKeys.xml file from both machines.

How to use in the application

  1. Add the following Default.aspx Web page to your application's virtual directory and then browse to this page to verify that the encryption and decryption is working correctly.
    1. <%@ Page Language=”C#” %>  
    2. <script runat=”server”>  
    3.    protected void Page_Load(object sender, EventArgs e)  
    4.    {  
    5.       Response.Write(“AppSetting value is: ” +  
    6.       ConfigurationManager.AppSettings  
    7.       [“APP_KEY “].toString());  
    8.    }  
    9. </script>  
    10. <html>  
    11.    <body/>  
    12. </html>  
    Output:

    AppSetting value is: APP_VALUE


Similar Articles