Encrypt web.config Section

ASP.NET 2.o allows you to encrypt sections of web.config file. For example you can have some sensitive information in <appSettings> or some database connection strings in <connectionStrings> and ASP.NET allows you to encrypt those sections and the beauty of this approach is you don’t have to write any decryption code in the application. ASP.NET does it for you automatically.

Using aspnet_regiis utility you can you can encrypt sections of configuration file. Use the following syntax

aspnet_regiis -pef  “appSettings” “c:\inetpub\wwwroot\website1”

The encrypted file might look like the following
I initially tested this code on Dev box (Win XP, VS 2008) it worked without any issue. But when I tried the same approach in Windows Server 2003 I encountered the following error.

Failed to decrypt using provider ‘RsaProtectedConfigurationProvider’. Error message from the provider: The RSA key container could not be opened”

To troubleshoot this issue you need to add the Identity account under which the ASP.NET runs in to the “Key Container”. You might asking what the heck is this Key Container. When you encrypt the sections of web.config file some of the encryption info is stored in this file. (C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA).

To avoid the RSA key error you need to add the Identity info into “Key Container” so this account has access to read the “Key Container”.

This can be done using following command

aspnet_regiis -pa “NetframeworkConfigurationKey” “domain\username”

After executing this command you should not get the error mentioned above.

Other useful resource related to this article