Encrypt configuration sections that contain sensitive data such as
SQL connection strings. Use DPAPI to encrypt the sensitive data in the
configuration file on your WCF server machine. To encrypt sensitive data
in your configuration files, use the aspnet_regiis.exe tool with the -pe (provider encryption) option.
For example, to encrypt the connectionStrings
section, using the DPAPI provider with the machine key store (the
default configuration), run the following command from a command prompt:
aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"
The aspnet_regiis settings are:
- -pe — specifies the configuration section to encrypt.
- -app — specifies your Web application's
virtual path. If your application is nested, you need to specify the
nested path from the root directory; for example,
"/test/aspnet/MachineDPAPI"
- -prov — specifies the provider name.
The Microsoft .NET Framework supports the following protected configuration providers:
- RSAProtectedConfigurationProvider. This
is the default provider. It uses the RSA public key encryption to
encrypt and decrypt data. Use this provider to encrypt configuration
files for use on multiple WCF services in a Web farm.
- DPAPIProtectedConfigurationProvider. This
provider uses the Windows Data Protection API (DPAPI) to encrypt and
decrypt data. Use this provider to encrypt configuration files for use
on a single Windows Server.