5

Looking here: https://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

They encrypt the machineKey in the web.config as well as the ConnectionStrings.

Is this because, when using a custom machineKey per site, it will use the machine key to encrypt the connection string?

Or is the machine key just used for view state encryption? And therefore it's prudent to encrypt it to help protect the application?

RemarkLima
  • 11,639
  • 7
  • 37
  • 56
  • [Explanation on Machine Key in similar SO question](http://stackoverflow.com/questions/3759536/asp-net-machinekey-config-section-default-location) – lazy Sep 04 '15 at 16:22

1 Answers1

5

MachineKey is used only to encrypt/decrypt/validate ASP.NET cookies and anti forgery tokens and it handles mostly USER data related security. MachineKey has nothing to do with decrypting configuration values. ASP.NET will not use MachineKey to decrypt connection string.

Infact MachineKey is as sensitive as connection string, because after obtaining it, someone can easily create an authenticated cookie which will allow them to login to any user. That's why it should be encrypted.

You have to encrypt MachineKey by yourself.

Akash Kava
  • 39,066
  • 20
  • 121
  • 167
  • Many thanks for the answer and explaining why I should encrypt the `machinekey` as well. If you use the default `machineKey` per app in IIS, is it still obtainable, or does that effectively secure it? – RemarkLima Sep 08 '15 at 13:33
  • Default MachineKey is not accessible, I think IIS manages automatically and puts it somewhere, but is that secure or not, I have no idea. – Akash Kava Sep 08 '15 at 13:53
  • Thanks - I assume the machine config and other OS level items are harder to get at than a potential `web.config` sitting in a FTP site etc... Thank you again for the clarification, and how a machine key could be used against you! – RemarkLima Sep 08 '15 at 14:09