I have an app.config file that I need to distribute with my application. It was created because of a Service Reference to an ASMX web service I added.
It isn't a huge deal if this file is modified/viewed, but I still would like to make it secure. I already check the hash of the config and make sure it is valid, but I still want an added layer of protection.
Here is my config: http://pastie.org/private/zjdzadnfwrjvwkmlbdsqw
So is there anything in there that I can encrypt or anything?
You cannot encrypt the entire <system.serviceModel> - it's a configuration section group, which contains configuration sections.
The aspnet_regiis will only encrypt configuration sections - so you need to selectively encrypt those parts you need, like this:
cd C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
aspnet_regiis.exe -pef "system.serviceModel/bindings" .
aspnet_regiis.exe -pef "system.serviceModel/services" .
etc.
With this, you can encrypt what you need easily - what isn't too important, can be left in clear text.
Word of warning: since it's aspnet_regiis, it expects to be dealing with a web.config file - copy your app.config to a location and call it web.config, encrypt your sections, and copy those encrypted sections back into your own app.config.
Or write your own config section encrypter/decrypter - it's really just a few lines of code! Or use mine - I wrote a small ConfigSectionCrypt utility, come grab it off my OneDrive - with full source (C# - .NET 3.5 - Visual Studio 2008). It allows you to encrypt and decrypt sections from any config file - just specify the file name on the command line.
You must set a reference to System.Configuration.dll in your project for the code to run.
ExeConfigurationFileMap configFileMap = new ExeConfigurationFileMap();
configFileMap.ExeConfigFilename = exeConfigName;
System.Configuration.Configuration myConfig = ConfigurationManager.OpenMappedExeConfiguration(configFileMap, ConfigurationUserLevel.None);
ConnectionStringsSection section = myConfig.GetSection("connectionStrings") as ConnectionStringsSection;
if (section.SectionInformation.IsProtected)
{
// Remove encryption.
section.SectionInformation.UnprotectSection();
}
else
{
// Encrypt the section.
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
}
myConfig.Save();
I use the following to encrypt my connection strings in web.config, why not use the same for yourself. I am not sure though.
To Encrypt:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" "\myWebSitePath"
To Decrypt:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" "\myWebsitePath"
Put them in bat files so you can encrypt or decrypt on the fly.
The answer from @marc_s is awesome, but I had a little trouble understanding exactly how to do what he had mentioned. This MSDN forum answer does a really good job of explaining the same process in simpleton format for people like myself who are not programming big shots yet. Here is the breakdown:
The best way to do this is to protect it using the aspnet_regiis.exe application. Even if the application is not an ASP.NET application, this will still work. Here's how.
- Rename the app.config in your directory to web.config (don't worry, this is just temporary, we'll rename it back later).
- Go to the command prompt.
- Type the following (replace the last argument with the path containing the directory to the app.config, currently renamed to web.config. For example, if the full path to the web config is "C:\documents and settings\bob\projects\myproject\web.config", you would use "C:\documents and settings\bob\projects\myproject")
%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef "connectionStrings"
- You should see it say "Succeeded!"
- Reopen the web.config, it should look something like this:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>rUmEA8h02uMZ5M4uEVtL+5M/UvPuyJ4UJz5d/Pd4h4jpFPGVf29ha4d+BMt/iOupVisXDxuZY1jzyc6O0ZixGcCkZqbynwKjouVANQVWUnDgIFgVap2ohsxjblAMtWHTUWDlL0ST5tqSVHNQE+r9G59Bnrp5HkuU3Eg09/8j6Jo=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>U2JEHzJ+WjSdlocT00cC9TE3+Dn3v7xE1RwX7bKAPuISO2f3hm18MZHnm1hXEBlnDS6iBNRPN87+BJJvZXYz+Sis/ZD4xBZEP4jBG2F8tqlLUbagv3W4epbuTSp2aalb5rdcBoycdIzSj2CApOzSaSKkMDvZrX8yoJI9RfuGnOWmNa4bncHkUEDvWq+uCK/8uaQ48J5uRoq7O0YgIe9jDg==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
</configuration>
- Lastly, rename the file from web.config to app.config.
That's it! You shouldn't have to do anything else to get this to work. If you use the ConfigurationManager in your code to retrieve the setting, it should fetch it just fine for you using the same code.
That being said, if you're going to install this on several computers, you might want to consider providing user-specific logins to your server for each user who uses the application. That way you can still track what they do, and you can prevent them from logging on at all on a user-by-user basis.
Well the file will be read by the program when it is run so changing the file could be a bad idea, you could add checksums to each line to make sure it's valid by checking it in your application or checking for modifications since last run or something. I've never heard of encrypting an app.config before to be honest.
It isn't a huge deal if this file is modified/viewed...
In that case, what is the security for?
You can programmatically encrypt sections of a config file with SectionInformation.ProtectSection.
