Web Config Encryption/Decryption in Framework 4.0

The RSAProtectedConfigurationProvider is the default protected configuration providers. It supports machine level and user level key containers for key storage. RSA machine key containers are stored in “C:\Documents and Settings\All users\Application data\Microsoft\Crypto\RSA\MachineKeys” in Windows server 2003. The default ‘keycontainerName’ for RSAProtectedConfigurationProvider in machine.config is called ‘NetFrameworkConfigurationKey’ (it’s good practice to change it in the production servers).

To encrypt a web.config file with Framework 4.0 I have used the following steps,

1. Find the location of the root web folder. In this case its “D:\Inetpub\wwwroot\DemoWebsite
2. Create an RSA keypair in ContainerName. The default ‘keycontainerName’ for RSAProtectedConfigurationProvider in machine.config is called ‘NetFrameworkConfigurationKey’ (it’s good practice to change it in the production servers). Modify the web.config in the root folder of the DemoWebsite by adding the following sub-section within the Configuration tag section. I have modified the KeyContainerName to “DemoWebsiteConfigurationKey” and the key name to “DemoWebsiteRSAProtectedConfigurationprovide”.

<add keyContainerName="DemoWebsiteConfigurationKey"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Note: The keyContainerName default lives in machine.config (usually in C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\CONFIG) we would find this section. We do not want to modify the default machine config, so create a configProtectedData tag in the DemoWebsite’s web.config file.

<configProtectedData defaultProvider="RsaProtectedConfigurationProvider">
<add name="RsaProtectedConfigurationProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
useOAEP="false" />
<add name="DataProtectionConfigurationProvider"
type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
description="Uses CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt"
keyEntropy="" />

3. Windows > Run > cmd. If you are using Framework 4.0 the go to folder C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319. Run below to create the RSA cryptographic key container called “DemoWebsiteConfigurationKey”,

aspnet_regiis -pc "DemoWebsiteConfigurationKey" –exp

4. Grant access to the key container by the default asp.net account:

aspnet_regiis -pa "DemoWebsiteConfigurationKey" "NT Authority\Network Service"

Note: If you do not do this step you might see this error “Failed to decrypt using provider ‘RsaProtectedConfigurationProvider’. Error message from the provider: The RSA key container could not be opened”

5. Back up the web.config file, in case. Now to encrypt connection string type below and enter.

aspnet_regiis.exe -pef "connectionStrings" "D:\Inetpub\wwwroot\DemoWebsite" -prov "DemoWebsiteRSAProtectedConfigurationProvider"

6. Now to encrypt appSettings type below and enter.

aspnet_regiis.exe -pef "appSettings" "D:\Inetpub\wwwroot\DemoWebsite" -prov "DemoWebsiteRSAProtectedConfigurationProvider"

Now if you want to modify your web.config you have to decrypt using the steps below first. Then modify and encrypt again. To decrypt I did the following,

1. Windows > Run > cmd.
2. Go to folder C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319.
3. Find the location of the root web folder. In this case its “D:\Inetpub\wwwroot\DemoWebsite
4. Now to decrypt connection string type below and enter.

aspnet_regiis.exe -pdf "connectionStrings" "D:\Inetpub\wwwroot\DemoWebsite"

5. Now to decrypt appSettings type below and enter.

aspnet_regiis.exe -pdf "appSettings" "D:\Inetpub\wwwroot\DemoWebsite"

ASP.NET IIS Registration Tool
Encrypting the connection string in ASP.NET V2.0
RSA Algorithm
Encrypting configuration files using protected configuration
Managing Connection Strings for Web Farms in ASP.NET 2.0


Diganta Kumar has architected and developed software for more than a decade for a wide range of industries and development platforms and over the years has filled many roles including program manager, founder, developer, architect, team lead, mentor and project manager. Diganta is founder of two online IT businesses. He is a certified AWS Solutions Architect, certified Professional Scrum Master (PSM I), certified Professional Scrum Developer (PSD I) and ITIL Certified. He has presented at Microsoft Tech.Ed, Microsoft AppFest and Ark Group Intranet conference. He attends AWS Seattle Official Events, Seattle AWS Architects-Engineers, and AWS Cloud Commerce user groups. He likes to help, mentor and manage software development teams to improve and produce great software. He currently work as a Senior Technical Program Manager for Amazon Web Services.

Tagged with:
Posted in ASP.NET, Security
2 comments on “Web Config Encryption/Decryption in Framework 4.0
  1. Pedro Suarez says:

    Hello Diganta,

    Thanks a lot for this article, it definitely helps a lot.

    How can I prevent users with access to the server to decrypt the web.config?

    My company has a security team that keeps track of the service accounts (hardcoded on the web.config). Server Administrators needs to have access to the server and to the website. Problem is that if I “-pa” the admins to grant them acccess to the server, they are now able to decrypt the web.config and see the password for the service account. I also tried to create a user-level key (-pku), but the result is the same.

    Is there another way to encrypt the web.config and only allow certain users to decrypt it?

    Any help is highly appreciatted.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s