Guide to Handling Web.Config Encryption Across Multiple Servers

• Part 1: Encrypt and Decrypt Web.config Using aspnet_regiis.exe Tool
• Part 2: Encrypt Web Config Sections Using aspnet_regiis.exe Securely

Introduction

Encrypting sections of the web.config file is a crucial security measure for protecting sensitive information in ASP.NET applications. However, when deploying applications across multiple servers, it is necessary to share the encryption keys to ensure the encrypted sections remain accessible. This guide provides a step-by-step process to encrypt, export, and import encryption keys across multiple servers.

Why Encrypt Web.Config Sections?

Encrypting sections of the web.config file serves multiple purposes.

1. Enhanced Security: Prevents unauthorized users from reading sensitive data such as connection strings and credentials.
2. Compliance Requirements: Helps in meeting security standards like PCI DSS and GDPR.
3. Protection Against Attacks: Reduces the risk of exposure in case of server compromise.
4. Machine-Specific Encryption: Ensures that only applications running on the same server can decrypt and use the settings.

Step-by-Step Guide to Handling Web.Config Encryption Across Multiple Servers
 

1. Encrypt Web.Config Sections on the First Server

Run the encryption command on the first server.

aspnet_regiis -pef "connectionStrings" "C:\inetpub\wwwroot\MyApp"

This encrypts the connectionStrings section and binds it to the machine’s DPAPI (Data Protection API) or RSA key container.

2. Export the RSA Key Container from the First Server

To share encryption settings, export the RSA key container.

aspnet_regiis -px "NetFrameworkConfigurationKey" "C:\keys\exportedkey.xml" -pri

• -px → Exports the key container.
• -pri → Includes the private key, allowing decryption on other servers.

3. Transfer the Exported Key to Additional Servers

Securely copy the exported XML file to each additional server. Use a secure transfer method such as SCP, SFTP, or a secure network share.

4. Import the RSA Key Container on Additional Servers

On each additional server, import the encryption key.

aspnet_regiis -pi "NetFrameworkConfigurationKey" "C:\keys\exportedkey.xml"

Now, these servers can decrypt the encrypted web.config sections.

5. Verify Decryption on Each Server

To test whether the encryption key was successfully shared, run.

aspnet_regiis -pd "connectionStrings" -app "/MyApp"

If the decryption works, the key sharing is successful.

6. Clean Up Sensitive Key Files

For security reasons, delete the exported key file (exportedkey.xml) from all servers after successful import.

del "C:\keys\exportedkey.xml"

Considerations and Best Practices

• Use Secure Transfers: Always use secure methods like SCP or SFTP to transfer encryption keys between servers.
• Backup Before Encryption: Always keep a backup of the web.config file before encryption.
• Automate for CI/CD: Automate encryption processes in deployment pipelines for consistent security measures.
• Use Alternative Secure Storage: Consider using Azure Key Vault, AWS Secrets Manager, or environment variables for highly sensitive data instead of storing credentials in web.config.

Conclusion

Handling encrypted web.config sections across multiple servers requires careful management of encryption keys. By following this guide, developers can ensure secure encryption, seamless key sharing, and proper protection of sensitive configuration data in distributed environments.