Since ASP.NET 2.0, web.cofig adds connectionStrings section to store database connection string and provides encryption function to secure the sensitive information (like database account and password).  For example:

<connectionStrings>
<add name="PlaygroundConnectionString" connectionString="Data Source=(local);Initial Catalog=Playground;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>

Will be encrypted as:

<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
  xmlns="http://www.w3.org/2001/04/xmlenc#">
  <EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
  <KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
   <EncryptedKey xmlns="
http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
    <KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
     <KeyName>Rsa Key</KeyName>
    </KeyInfo>
    <CipherData>
<CipherValue>a44a3giX...(Ignored)...o+VMsXS8os=</CipherValue>
    </CipherData>
   </EncryptedKey>
  </KeyInfo>
  <CipherData>
<CipherValue>TX5qKv+s...(Ignored)...3YgrV5wcA==</CipherValue>
  </CipherData>
</EncryptedData>
</connectionStrings>

The RSA encryption can protect the sensitive information from cracking, even when web.config is stolen.  You can find more information about web.config encryption from MSDN:

But the only way to encrypt and decrypt web.config is to use aspnet_regiis.exe command line utility, it means you have to know the arguments and type them manually, not very convenient.  For example, when I want to encrypt a web.config and deploy it to 3 web farm servers, here is what I have to do:

  1. Use aspnet_regiis -pc "SharedKeys"–exp to create a shared RSA key container.
  2. Use aspnet_regiis -px "SharedKeys" keys.xml -pri to export the RSA key container to a XML file.
  3. Copy keys.xml to 3 web farm servers.
  4. Execute aspnet_regiis -pi "SharedKeys" keys.xml to import RSA key container on 3 web farm servers.
  5. Execute aspnet_regiis -pa "SharedKeys" "NT AUTHORITY\NETWORK SERVICE" to grant access permission to ASP.NET web application. (Note: IIS 7.5 uses IIS APPPOOL\YourAppPoolName as identity, please replace NT AUTHORITY\NETWORK SERVICE to appropriate account. [reference])
  6. In web.config, add:
    <configProtectedData>
    <providers>
      <add keyContainerName="SharedKeys" useMachineContainer="true"
       name="SharedKeys" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
    </configProtectedData>
  7. Use aspnet_regiis -pe "connectionStrings" -app "/WebApplication" -prov "SharedKeys" to encrypt connectionStrings section.
  8. Copy encrypted web.config to 3 web farm servers.

I always think there should be a more convenient tools to finish these complex steps and cover the utility arguments detail, so I wrote the tool -- Web Config ConnectionString Encryptor!

It's a handy tool to provide GUI to cover the operations that aspnet_regiis.exe used to do, including web.config encyption and decryption and RSA key containers management.

The UI is straight forward ( I hope so ;P ), you can choose the web application from the dropdownlist, and then the web.config will show in the viewer, the [Edit] button can startup Notepad to edit the web.config.  If the web.config connectionStrings section is not encrypted, you can click [Encrypt] to encrypt it;  if it's encrypted, the [Encrypt] button will becomes [Decrypt], you can decrypt it by one click, too.

The RSA Key Container Management UI can be used to create, delete, export and import key containers.

The tool provides English and Traditional-Chinese (Taiwan) multi-language support so far.

Here are operation samples for some typical scenarios:

  1. For single web server (using default key container)
    a) Choose web application from drowdownlist
    b) Click [Encrypt] button
  2. For single web server (using specific key container)
    a) Choose web application from drowdownlist
    b) Input key container name
    c) Click [Encrypt] button
    (If the key container doesn't exist, a new key container will be created automatically.  But the auto-created key container is not exportable so it can't be used for web farm severs, please ref the next case for web farm scenarios.  When using specific key container, a RsaProtectedConfigurationProvider named as the key container name will be appended in the web.config <configProtectedData><providers> node.)
    d) Use [Manage Key Container] function
    e) Input key container name and click [Grant] button
  3. Sharing encrypted web.config among web farm servers
    a) Use [Manage Key Container] function
    b) Input key container name, click [Create] button
    c) Click [Grant] button
    c) Click [Export] and save as XML file
    d) Copy the XML file to web farm servers, run Web Config ConnectionString Encryptor on those servers, use [Manage Key Container], input key container name, click [Import] then [Grant].  Remember to delete the XML file from the server for security issue.
    e) Choose web application from drowdownlist
    f) Input key container name
    g) Click [Encrypt] button
    h) Cop the encrypted web.config to web farm servers.

Although I think this tool is simple and safe, however, use it at your own risk and remember to backup your web.config to be on the safe side.  Any feedback is welcome.

CodePlex: Web Config ConnectionString Encryptor


Comments

# by Mulder

You're truely awesome I have to say

# by Mulder

btw, in the last line, "use it at your own task" (should it be "risk"?)

# by Jeffrey

to Mulder, I'm glad that you like it. Yes, you are right, it should be "risk" and I just corrected it. It seems that clumsy English and numerous typos have become my features. :-S

Post a comment