Encrypt and store password in web.config file

Question

I have the following information in my web.config file.

<appSettings>
<add key="AdminUsername" value="User1"/>
<add key="AdminPassword" value="Password1"/>
</appSettings>

how do I encrypt it and store? how do I decrypt and use?

The same answered here. http://stackoverflow.com/questions/6291322/how-to-encrypt-username-and-password-in-web-config-in-c-2-0 — vml19, Oct 03 '11 at 06:56

Wilson Tan · Answer 1 · 2011-09-09T02:38:56.077

2

Kindly refer to the article - http://msdn.microsoft.com/en-us/library/k6h9cz8h%28v=vs.80%29.aspx

The command is:

aspnet_regiis.exe -pe "appSettings" -site "MySharePoint" -app "/"

where MySharePoint is a Virtual Directory. The web.config file should be inside the directory too.

edited Sep 09 '11 at 02:38

answered Sep 09 '11 at 02:30

Wilson Tan

187
1
2
7

I only need to encrypt a portion of appconfig section not the whole. – vml19 Sep 09 '11 at 02:36
Update the answer - now it will encrypt the appSettings section only. Hope it helps. – Wilson Tan Sep 09 '11 at 02:42

Joe · Answer 2 · 2011-09-21T05:31:57.847

The drawback of encrypting configuration sections using aspnet_regiis or the equivalent APIs is that it encrypts entire sections.

Good from a security perspective, but it makes it more difficult for an administrator to inspect other non-sensitive configuration data in the same section. appSettings is a section which an administrator will often want to inspect.

One option is to put your credentials in a different section (e.g. create a dummy connection string in the <connectionStrings> section) and encrypt only this section:

<connectionStrings>
   ...
   <add key="AdminCredentials" 
        providerName="" 
        connectionString="Username=...;Password=..." />
</connectionStrings>

You will of course have to write code to parse the dummy connection string (String.Split) and extract the credentials. Something like the following (omitting error handling for simplicity):

string s = ConfigurationManager.ConnectionStrings["AdminCredentials"].ConnectionString;
string[] tokens = s.Split(';');
string userName = tokens[0].Split('=')[1];
string password = tokens[1].Split('=')[1];
...

By doing this, you can leave your appSettings section unencrypted.

@Nilaa, my suggestion was a dummy *connectionString*, not a dummy *section*. See the sample code - a connection string with an empty string for the providerName, and your username and password in the connectionString itself. You then write code to parse the username and password out of the dummy connection string. — Joe, Sep 21 '11 at 05:27

Encrypt and store password in web.config file

2 Answers2

Linked