Recipe17.17.Encrypting web.config Information

Recipe 17.17. Encrypting web.config Information

Problem

You need to encrypt data within a web.config file programmatically.

Solution

To encrypt data within a web.config file section, use the following method:

 public static void EncryptWebConfigData(string appPath,                                         string protectedSection,                                         string dataProtectionProvider) {     System.Configuration.Configuration webConfig =                 WebConfigurationManager.OpenWebConfiguration(appPath);     ConfigurationSection webConfigSection = webConfig.GetSection(protectedSection);     if (!webConfigSection.SectionInformation.IsProtected)     {         webConfigSection.SectionInformation.ProtectSection(dataProtectionProvider);         webConfig.Save();     } }

To decrypt data within a web.config file section, use the following method:

 public static void DecryptWebConfigData(string appPath, string protectedSection) {     System.Configuration.Configuration webConfig =                 WebConfigurationManager.OpenWebConfiguration(appPath);     ConfigurationSection webConfigSection = webConfig.GetSection(protectedSection);     if (webConfigSection.SectionInformation.IsProtected)     {         webConfigSection.SectionInformation.UnprotectSection();         webConfig.Save();     } }

You will need to add the System.Web and System.Configuration DLLs to your project before this code will compile.

Discussion

To encrypt data, you can call the EncryptWebConfigData method with the following arguments:

 EncryptWebConfigData("/WebApplication1", "appSettings",                      "DataProtectionConfigurationProvider");

The first argument is the virtual path to the web application, the second argument is the section that you want to encrypt, and the last argument is the data protection provider that you want to use to encrypt the data.

The EncryptWebConfigData method uses the virtual path passed into it to open the web.config file. This is done using the OpenWebConfiguration static method of the WebConfigurationManager class:

 System.Configuration.Configuration webConfig =     WebConfigurationManager.OpenWebConfiguration(appPath);

This method returns a System.Configuration.Configuration object, which you use to get the section of the web.config file that you wish to encrypt. This is accomplished through the GetSection method:

 ConfigurationSection webConfigSection = webConfig.GetSection(protectedSection);

This method returns a ConfigurationSection object that you can use to encrypt the section. This is done through a call to the ProtectSection method:

 webConfigSection.SectionInformation.ProtectSection(dataProtectionProvider);

The dataProtectionProvider argument is a string identifying which data protection provider you want to use to encrypt the section information. The two available providers are DpapiProtectedConfigurationProvider and RsaProtectedConfigurationProvider. The DpapiProtectedConfigurationProvider class makes use of the Data Protection API (DPAPI) to encrypt and decrypt data. The RsaProtectedConfigurationProvider class makes use of the RsaCryptoServiceProvider class in the .NET Framework to encrypt and decrypt data.

The final step to encrypting the section information is to call the Save method of the System.Configuration.Configuration object. This saves the changes to the web.config file. If this method is not called, the encrypted data will not be saved.

To decrypt data within a web.config file, you can call the DecryptWebConfigData method with the following parameters:

 DecryptWebConfigData("/WebApplication1", "appSettings");

The first argument is the virtual path to the web application; the second argument is the section that you want to encrypt.

The DecryptWebConfigData method operates very similarly to the EncryptWebConfigData method, except that it calls the UnprotectSection method to decrypt the encrypted data in the web.config file:

 webConfigSection.SectionInformation.UnprotectSection();

If you encrypt data in the web.config file using this technique, the data will automatically be decrypted when the web application accesses the encrypted data in the web.config file.