Encrypt Sensitive Data in Your Configuration Files in asp.net

Encrypt configuration sections that contain sensitive data such as SQL connection strings. Use DPAPI to encrypt the sensitive data in the configuration file on your WCF server machine. To encrypt sensitive data in your configuration files, use the aspnet_regiis.exe tool with the -pe (provider encryption) option.

For example, to encrypt the connectionStrings section, using the DPAPI provider with the machine key store (the default configuration), run the following command from a command prompt:

aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider" 

The aspnet_regiis settings are:

  • -pe โ€” specifies the configuration section to encrypt.
  • -app โ€” specifies your Web application's virtual path. If your application is nested, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI"
  • -prov โ€” specifies the provider name.

The Microsoft .NET Framework supports the following protected configuration providers:

  • RSAProtectedConfigurationProvider. This is the default provider. It uses the RSA public key encryption to encrypt and decrypt data. Use this provider to encrypt configuration files for use on multiple WCF services in a Web farm.
  • DPAPIProtectedConfigurationProvider. This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data. Use this provider to encrypt configuration files for use on a single Windows Server.