How to encrypt username and password in Web.config in C# 2.0

Question

I have the entries below in my Web.config and I am using .NET 2.0 and C# for coding.

 <add key="userName" value="s752549"/>
 <add key="userPassword" value="Delhi@007"/>

Now I want this to be encrypted so that nobody can see it, and also these passwords may change frequently (every fifteen days).

possible duplicate of [Encrypting Web.Config](http://stackoverflow.com/questions/1075245/encrypting-web-config) — usr-local-ΕΨΗΕΛΩΝ, Jun 09 '11 at 10:33
Also duplicate of http://stackoverflow.com/questions/54200/encrypting-appsettings-in-web-config — usr-local-ΕΨΗΕΛΩΝ, Jun 09 '11 at 10:34
Possible duplicate of [Encrypting appSettings in web.config](https://stackoverflow.com/questions/54200/encrypting-appsettings-in-web-config) — Luke Girvin, Jun 29 '17 at 14:48

score 14 · Answer 1 · answered Apr 18 '13 at 15:05

Just wanted to add to this, the marked answer was 99% complete, but it didn't provide how to specify the location of the web config. Rather than root around the internet, thought I'd just post the complete command. As such, here is the command I executed

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -pef "secureAppSettings" "C:\MyLocalPublishDirectory\MyApp" -prov DataProtectionConfigurationProvider

Saurabh · Accepted Answer · 2011-06-09T10:58:53.307

13

You could put the username and password into a separate section and encrypt this section only. For example:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
        <section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </configSections>

    <appSettings>
        <add key="Host" value="www.foo.com" />
        <add key="Token" value="qwerqwre" />
        <add key="AccountId" value="123" />
        <add key="DepartmentId" value="456" />
        <add key="SessionEmail" value="foo@foo.com" />
        <add key="DefaultFolder" value="789" />  
    </appSettings>

    <secureAppSettings>
        <add key="userName" value="s752549"/>
        <add key="userPassword" value="Delhi@007"/>

    </secureAppSettings>  
</configuration>

and then use aspnet_regiis

For Ex: 
aspnet_regiis -pef secureAppSettings . -prov DataProtectionConfigurationProvider

edited Jun 09 '11 at 10:58

answered Jun 09 '11 at 10:29

Saurabh

5,661
2
26
32

How to give path of webconfig in aspnet_regiis – Manoj Singh Jun 09 '11 at 12:00
And also can you please let me know how to get the encrypted values in our .net code. – Manoj Singh Jun 09 '11 at 12:11
check this for more detail: http://diablopup.blogspot.com/2007/04/aspnetregiis-encryptdecrypt-webconfig.html get vlaues like this string userName = ConfigurationSettings.AppSettings["userName"]; – Saurabh Jun 09 '11 at 12:23
As a side note, you could choose to encrypt the entire "appSettings". You don't specifically need a separate region, which keeps your code simple. This is how my project currently does encryption (we also encrypt the connection strings). – raider33 Sep 24 '14 at 00:58

Raghu · Answer 3 · 2016-02-04T20:34:11.193

3

You can Protect / Unprotect entire config sections in .NET.

For more info see http://www.codeproject.com/Articles/38188/Encrypt-Your-Web-config-Please.aspx

edited Feb 04 '16 at 20:34

answered Jun 09 '11 at 10:37

Raghu

1,415
13
18

score 1 · Answer 4 · answered Jun 09 '11 at 10:24

1

you could use aspnet_regiis, see http://msdn.microsoft.com/en-us/library/zhhddkxy(v=VS.80).aspx

answered Jun 09 '11 at 10:24

Mike Miller

16,195
1
20
27

How to encrypt username and password in Web.config in C# 2.0

4 Answers4

Linked