6

I'm trying to understand how the aspnet_regiis.exe tool "encrypts" Web.config files.

Here is the documentation for how to use the tool:

I'm looking for answers to questions this documentation does not address:

  • Does this only work for Web.config files?

  • What exactly is encrypted? The whole config file?

  • Does IIS automatically know how to decrypt encrypted config files?

  • What encryption algorithms are used?

  • Are there any encryption keys (and/or passwords)? Where are they?

  • Can I encrypt on one machine and decrypt on another? (Or does it rely on a secret key somewhere on the server?)

Charles
  • 50,943
  • 13
  • 104
  • 142
Jay Sullivan
  • 17,332
  • 11
  • 62
  • 86
  • *"Can I encrypt on one machine and decrypt on another? (Or does it rely on a secret key somewhere on the server?)"* It probably uses the keys in *machine.config*, so I'd bet you can't encrypt in one machine and then decrypt in another unless you edit machine configuration file. – Geeky Guy Sep 17 '13 at 14:35

1 Answers1

6
  • Does this only work for Web.config files?

I think so, but a simple test will give you a sure answer. (update: the tool asssumes there is web.config file. If you need to encrypt another file like app.config, just rename it to web.config).

  • What exactly is encrypted? The whole config file?

You can specify sections that will be encrypted (see this link).

  • Does IIS automatically know how to decrypt encrypted config files?

Yes (same link)

  • What encryption algorithms are used?

You can choose a provider of your choice (same link)

  • Are there any encryption keys (and/or passwords)? Where are they?

Yes there are if you use the RsaProtectedConfigurationProvider, see this link for more info.

  • Can I encrypt on one machine and decrypt on another? (Or does it rely on a secret key somewhere on the server?)

Yes, using RsaProtectedConfigurationProvider it is possible.

For more general information on Protected Configuration, please refer to this guide on MSDN.

Superzadeh
  • 1,106
  • 7
  • 23
  • I found that the tool assumes there is a `Web.config` file in the specified folder. The trick to encrypt `App.config` files is to rename it to `Web.config`, encrypt it, then rename it back. – Jay Sullivan Oct 10 '13 at 15:07
  • I clicked the link to see what encryption algorithm is used but its still a bit vague. Seems the default is DpapiProtectedConfigurationProvider which uses the Windows Data Protection API https://en.wikipedia.org/wiki/Data_Protection_API, which "allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets." ... so by default aspnet_regiis is machine specific unless you specify a different configuration provider – codeulike Mar 03 '22 at 15:20