Encrypt web.config Section

ASP.NET 2.o allows you to encrypt sections of web.config file. For example you can have some sensitive information in <appSettings> or some database connection strings in <connectionStrings> and ASP.NET allows you to encrypt those sections and the beauty of this approach is you don’t have to write any decryption code in the application. ASP.NET does it for you automatically.

Using aspnet_regiis utility you can you can encrypt sections of configuration file. Use the following syntax

aspnet_regiis -pef  “appSettings” “c:\inetpub\wwwroot\website1”

The encrypted file might look like the following
I initially tested this code on Dev box (Win XP, VS 2008) it worked without any issue. But when I tried the same approach in Windows Server 2003 I encountered the following error.

Failed to decrypt using provider ‘RsaProtectedConfigurationProvider’. Error message from the provider: The RSA key container could not be opened”

To troubleshoot this issue you need to add the Identity account under which the ASP.NET runs in to the “Key Container”. You might asking what the heck is this Key Container. When you encrypt the sections of web.config file some of the encryption info is stored in this file. (C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA).

To avoid the RSA key error you need to add the Identity info into “Key Container” so this account has access to read the “Key Container”.

This can be done using following command

aspnet_regiis -pa “NetframeworkConfigurationKey” “domain\username”

After executing this command you should not get the error mentioned above.

Other useful resource related to this article


3 thoughts on “Encrypt web.config Section

  1. I still got the “The RSA key container could not be opened” error after running the
    aspnet_regiis -pa “NetframeworkConfigurationKey” “domain\username”
    command. I’m doing this on a server that has probably had accounts taken away from folders (for security reasons) that should not have been, but I don’t know what accounts I need where with what permissions. The C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder has Administrators having Full Access, and just for kicks we stuck in “Domain Users” into the local Administrators group (it’s a Dev server, anyway) and ran the command and still could not grant access for the key container to any accounts. Why would this be? What security settings/folder ACLs could be messed up to cause such a thing? Thanks.

    1. Well I read on another site that, even if your account is an admin, unless you do the command prompt via “runas”, using the App Pool identity to run the command prompt, that it may not work until you do (unless you’re using the Network Service account for the App Pool and it has Full Access to the MachineKeys folder). I’ll try the runas and get back to ya. -Tom

      1. Hi Tom,
        Let me know if it worked or not. I took the identity from the app pool and used it with the aspnet_regiis command… but dont remember if I ran the command prompt in admin mode or not.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s