1

anyone from MS or some MS MVP? Any improvements for encrypting specific custom section in web.config besides using hack like in Using ASPNet_Regiis to encrypt custom configuration section - can you do it?

Danger of being hacked is very high these days, so be able encrypt config is something which can certainly help improve security.

Anyone info, update welcome.

Thanks, X.

Community
  • 1
  • 1
Jaroslav Urban
  • 1,269
  • 3
  • 20
  • 32

2 Answers2

2

Not sure if this is an answer to your question, but when I had the issue with encrypting an custom configuration section, got the error unable to find the "type" assembly.

i found this link in which it was suggested using System.Configuration.SingleTagSectionHandler if the custom section only has single tag element with multiple attributes

VaultOfThoughts link

Now i can encrypt the custom config section using "aspnet_regiis -pe" command line.

kayess
  • 3,384
  • 9
  • 28
  • 45
prb
  • 21
  • 4
0

I've faced this problem myself today and really struggled to get anywhere with the command line tool aspnet_regiis.exe

I think my main problem is that I had built myself a custom section group, not just a section so the command line tool didn't really want to play ball.

Instead I wrote a webpage with access restricted to myself with code similar to the following

Private Sub Encrypt()
    Dim cfg As Configuration = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
    Dim grp As ConfigurationSectionGroup = cfg.GetSectionGroup("MySectionGroup")
    Dim sect As ConfigurationSection
    For r As Integer = 0 To grp.Sections.Count - 1
        sect = grp.Sections(r)
        If Not sect.SectionInformation.IsProtected Then
            sect.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider")
        End If
    Next
    cfg.Save()
End Sub

Hope this helps or at least points you in the right direction :) Decrypting is basically the opposite of above (.UnprotectSection)

CResults
  • 5,100
  • 1
  • 22
  • 28
  • I presume you are doing encrypting only once, during deployment. Do you use msbuild to encrypt it? Also whne accessing config sections, you have your own implementation, like some kind of singleton, which takes care of decrypting. Nice and simple workaround, th for tip. – Jaroslav Urban Jun 05 '11 at 21:35
  • No, I'm using the built-in framework commands for accessing the custom section, just as you would if it was unencrypted. Asp.net silently decodes it in the background if its protected without any code changes from you. – CResults Jun 16 '11 at 06:45