Encryption can be done in ASP.NET using the “aspnet_regiis.exe” tool. There are two encryption options provided by ASP.NET: –
Windows Data Protection API (DPAPI) Provider (DataProtectionConfigurationProvider) – this provider uses the built-in cryptography capabilities of Windows to encrypt and decrypt the configuration sections. By default this provider uses the machine’s key.
RSA Protected Configuration Provider (RSAProtectedConfigurationProvider) – uses RSA public key encryption to encrypt/decrypt the configuration sections. With this provider you need to create key containers that hold the public and private keys used for encrypting and decrypting the configuration information.
While encrypting the config files we can choose what kind of provider we need for encryption. So let’s understand step by step how we can actually encrypt the web.config file sections.
Step 1:- Go to the command prompt of the framework.
Step 2:- Run the aspnet_regiis.exe as shown in the figure. We have provided the section which we need to encrypt and the provider. If the command is successfully executed, you should get a succeeded message of encryption. You can see we have decrypted the appSettings section. We have also shown how the unencrypted config file looks after running aspnet_regiis.exe.
Step 3:- Once the file is encrypted you can use the same in your program in a normal fashion. For instance the below defined appSetting key “MyValue” in figure “aspnet_regiis.exe in Action” can be displayed simply by:-
You do not need to do any kind if decryption inside your program again.
Figure 21.4 shows how the plain text is further changed to an encrypted form using aspnet_regiis.exe.
Below is the aspnet_regiis in different forms for your referral.
— Generic form for encrypting the Web.config file for a particular website…
aspnet_regiis.exe -pef section physical_directory –prov provider
— or —
aspnet_regiis.exe -pe section -app virtual_directory –prov provider
— Concrete example of encrypting the Web.config file for a particular website
aspnet_regiis.exe -pef “connectionStrings” “C:\Inetpub\wwwroot\MySite” –prov “DataProtectionConfigurationProvider”
— or —
aspnet_regiis.exe -pe “connectionStrings” -app “/MyWebSite” –prov
— Generic form for decrypting the Web.config file for a particular website…
aspnet_regiis.exe -pdf section physical_directory
— or —
aspnet_regiis.exe -pd section -app virtual_directory
— Concrete example of decrypting the Web.config file for a particular website…
aspnet_regiis.exe -pdf “connectionStrings” “C:\Inetpub\wwwroot\MyWebSite”
— or —
aspnet_regiis.exe -pd “connectionStrings” -app “/MyWebSite”
In .NET 1.X how was the encryption implemented for config files?
Encrypting in .NET 1.X was a bit different and cryptic as compared to ASP.NET 2.0. It is a three step procedure to implement encryption of config files:-
Step 1: – Use the aspnet_setreg.exe to make a registry entry using the following command. “-k” is the keyname in the registry and “-c” is the key value.
Step 2: – We give the registry path with the key name “myConnectionString” in the value attribute.
Step 3: – In the code we need to finally decrypt the connection string. For that we need to use Ncrypto DLL.
Note: – We have provided the same in the CD zipped in “aspnetreg.zip” file. It has the aspnet_setreg.exe and also the Ncrypto DLL. You can use the DLL and practice the same on .NET 1.X
In the code we need to decrypt back the value so that we can get original string in the process. Below code snippet “Decrypting the connectionstring” shows step by step how the decryption process happens. In the below code there are four important steps we need to understand.
Step 1: – We need to take the path value using the split section. In step 1 we have taken out the path using the “:” and “,” separator.
Step 2: – Using the “OpenSubKey” function we open a connection to the path which we just obtained from parsing.
Step 3: – We get the value in byte array.
Step 4: – We decode the byte array back in to a string value using the “Unprotect” function.
Note: – This is on the marked improvements in ASP.NET 2.0 we do not need to write a decrypt function. In short we just do the encryption using aspnet_regiis.exe and then call then just read the config value.
Above is the ASP.NET interview questions & also see the following video on ASP.NET Forms Authentication: –