0

I was wondering what the best (most secure) way to encrypt Web.Config files in an ASP.Net MVC 4 Application are? I have some background with developing in-house applications using C#, but we never focused too much on encryption due to other security that was already in place.

EDIT: My host Server is ORACLE if that changes anything? A friend mentioned perhaps using aspnet_regiis.exe after deployment of my code with the '-pe' argument. Anyone have any pros/cons for this method?

EDIT2: ORACLE is a Database, not a Server! Can I go home yet?! >_<

Analytic Lunatic
  • 3,853
  • 22
  • 78
  • 120
  • Usually web.config is protected by OS Security configuration for file and folder permissions. If you have some passwords/user id/etc in your web.config, you can use System.Security.Cryptography for encryption of them, and decrypt values on your app initialization and then use them. – decho Oct 30 '13 at 13:29
  • possible duplicate of [Encrypting Web.Config](http://stackoverflow.com/questions/1075245/encrypting-web-config) – CodeCaster Oct 30 '13 at 13:34
  • possible duplicate of [Encrypting config files for deployment](http://stackoverflow.com/questions/563717/encrypting-config-files-for-deployment) – Brant Bobby Nov 04 '13 at 20:46

3 Answers3

1

The typical way is to use a ProtectedConfigurationProvider to encrypt the sensitive sections. There are several existing implementations. You can also implement your own if needed.

Community
  • 1
  • 1
Jeff Moser
  • 19,727
  • 6
  • 65
  • 85
1

I was wondering what the best (most secure) way to encrypt Web.Config files

"Most secure" depends on what threats you are trying to protect against. You can assume that all the standard cryptographic algorithms are secure, but by encrypting web.config, you've simply exchanged the problem of protecting plaintext credentials in web.config for the problem of protecting an encryption key.

Typically you'll use Protected Configuration to encrypt web.config.

  • If you use the DPAPI provider, you'll encrypt using the server's machine key. This means that the encryption can be broken by anyone who can log in to the server. Also by anyone with write access to a folder containing a web site on the server, because they can upload code, say an aspx page with embedded script, that can do the decryption. This is a good choice if:

    • your server is secure (not shared with other untrusted applications, e.g. a hosting environment)
    • you don't want to copy the web.config to other servers (e.g. in a web farm) - it needs to be encrypted independently on each server.

  • Alternatively, if DPAPI doesn't meet your requirements, you should probably use the RSA provider. You can protect the key with an ACL against unauthorized access by other users on the same server, and can share it across multiple servers.

Joe
  • 122,218
  • 32
  • 205
  • 338
  • There are other security measures in place, I'm just doing research on what could become a good "standard" to use in encrypting my files when releasing out onto the net through my server. I think the DPAPI provider sounds like it may be what I'm after at the moment. – Analytic Lunatic Oct 30 '13 at 14:00
  • So how exactly would I go about changing, say: to the encrypted example shown on: http://msdn.microsoft.com/en-us/library/system.configuration.dpapiprotectedconfigurationprovider(v=vs.100).aspx? – Analytic Lunatic Oct 30 '13 at 14:26
  • @AnalyticLunatic - the following walkthrough should get you started. Ask again if you still have questions: http://msdn.microsoft.com/en-us/library/dtkwfdky(v=vs.100).aspx – Joe Oct 30 '13 at 15:40
  • Thanks Joe! I think I goofed and should have mentioned this before, but will I be able to use DPAPI if I am using an ORACLE server? It is not listed under the platforms on my above linked page. – Analytic Lunatic Oct 30 '13 at 15:47
  • @AnalyticLunatic - not sure what you mean by an "ORACLE server" - but if it's a Windows server you'll be OK. If not you're presumably running Mono and I can't help there. The utility aspnet_regiis lets you encrypt / decrypt the file from the command line, or there are .NET APIs to do it programmatically. – Joe Oct 30 '13 at 16:44
  • My bad >_<! ORACLE Database, not Server... gah, simply getting overloaded today! Sorry for that bit of stupidity... – Analytic Lunatic Oct 30 '13 at 18:02
0

You can use the CryptoAPI to encrypt individual configuration values.

You can use the DPAPI to encrypt entire sections.

Dan Esparza
  • 28,047
  • 29
  • 99
  • 127