ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

  • (2 Pages)
  • +
  • 1
  • 2

21 Replies - 18877 Views - Last Post: 01 November 2013 - 12:10 PM

#1 AnalyticLunatic   User is offline

  • D.I.C Lover

Reputation: 239
  • View blog
  • Posts: 1,073
  • Joined: 25-June 12

ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 06:38 AM

I was wondering what the best (most secure) way to encrypt Web.Config files in an ASP.Net MVC 4 Application are? I have some background with developing in-house applications using C#, but we never focused too much on encryption due to other security that was already in place.
Is This A Good Question/Topic? 0
  • +

Replies To: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

#2 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14929
  • View blog
  • Posts: 59,631
  • Joined: 12-June 08

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 06:51 AM

I've had never had an issue with aspnet_regiis.exe and the '-pe' option (though you need to do this on the deployment machine and not locally before you deploy).
Was This Post Helpful? 0
  • +
  • -

#3 AnalyticLunatic   User is offline

  • D.I.C Lover

Reputation: 239
  • View blog
  • Posts: 1,073
  • Joined: 25-June 12

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 07:04 AM

At this time I'm just looking to add a little extra security to my apps. I did some research over on SO and it sounds like the DPAPI Protected Configuration Provider may be what I'm after at the moment. Anyone have experience using this? tips or advice?
Was This Post Helpful? 0
  • +
  • -

#4 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14929
  • View blog
  • Posts: 59,631
  • Joined: 12-June 08

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 07:09 AM

Ah.. doesn't that article just point to the same thing I just said? aspnet_regiis.exe ?
Was This Post Helpful? 0
  • +
  • -

#5 AnalyticLunatic   User is offline

  • D.I.C Lover

Reputation: 239
  • View blog
  • Posts: 1,073
  • Joined: 25-June 12

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 07:17 AM

View Postmodi123_1, on 30 October 2013 - 02:09 PM, said:

Ah.. doesn't that article just point to the same thing I just said? aspnet_regiis.exe ?


I believe so, possibly? I'm looking specifically at the example on this page.

What exactly would I need to do to change, say:

<connectionStrings>
    <add name="SchoolContext" connectionString="Data Source=(LocalDb)\v11.0;Initial Catalog=ContosoUniversity;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\ContosoUniversity.mdf" providerName="System.Data.SqlClient" />
  </connectionStrings>


to the encrypted example shown? All of this is new territory to me.
Was This Post Helpful? 0
  • +
  • -

#6 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14929
  • View blog
  • Posts: 59,631
  • Joined: 12-June 08

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 07:25 AM

That seems overly.. complex. With that exe I was talking about you literally:
- deploy your code
- open a command window in your deployed folder
- run the exe
- done.

IIS deals with the encryption/decryption.. on the fly.. so no new coding for you!
Was This Post Helpful? 0
  • +
  • -

#7 AnalyticLunatic   User is offline

  • D.I.C Lover

Reputation: 239
  • View blog
  • Posts: 1,073
  • Joined: 25-June 12

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 07:39 AM

View Postmodi123_1, on 30 October 2013 - 02:25 PM, said:

That seems overly.. complex. With that exe I was talking about you literally:
- deploy your code
- open a command window in your deployed folder
- run the exe
- done.

IIS deals with the encryption/decryption.. on the fly.. so no new coding for you!


Still a little fuzzy, though that does sound simpler. So I publish my application to the server... and then? how exactly does the aspnet_regiis.exe go about encrypting my Web.Config file? Do I have to open a command window and run the exe each time I have a new published version?
Was This Post Helpful? 0
  • +
  • -

#8 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14929
  • View blog
  • Posts: 59,631
  • Joined: 12-June 08

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 07:52 AM

Yeah.. you pop into your web server.. deploy your compiled code.. navigate to your folder with your config.. I typically do shift+alt+right click and 'open command window here'.. then chuck in the exe and -pe and it does its thing.

I believe it deals with using a registry key and data from that specific machine.. (hence why you cannot do it locally).. so yeah.. every deployment. I do believe it is written in to our 'deployment procedures'.. and is all of a ten second addition to the steps.
Was This Post Helpful? 1
  • +
  • -

#9 AnalyticLunatic   User is offline

  • D.I.C Lover

Reputation: 239
  • View blog
  • Posts: 1,073
  • Joined: 25-June 12

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 07:56 AM

Interesting. So then each page request goes in and uses the registry key to request the connString, etc. from the Server? And there isn't any extra maintenance hassle or debugging trouble then, other than the short process of running the exe?
Was This Post Helpful? 0
  • +
  • -

#10 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14929
  • View blog
  • Posts: 59,631
  • Joined: 12-June 08

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 08:07 AM

Not that I've ever encountered. It's a "set it and forget it" sort of thing... but as you mentioned - you need to run it every deployment. (assuming your config updates each time)..
Was This Post Helpful? 0
  • +
  • -

#11 AnalyticLunatic   User is offline

  • D.I.C Lover

Reputation: 239
  • View blog
  • Posts: 1,073
  • Joined: 25-June 12

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 08:13 AM

I see. So then can you explain to me what precisely is the benefit as compared to just normally publishing my project without this additional step? Also, while I don't think there would be I thought it wise to ask, would there be any issues if my host server is ORACLE?
Was This Post Helpful? 0
  • +
  • -

#12 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14929
  • View blog
  • Posts: 59,631
  • Joined: 12-June 08

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 08:16 AM

The benefit is it encrypts your config so Joe-blow doesn't wander by and cherry pick out your database names, passwords, etc. (you know - the thread's title)

As far as I understand - if your ASP.NET pages have an IIS to run on this should work.
Was This Post Helpful? 0
  • +
  • -

#13 AnalyticLunatic   User is offline

  • D.I.C Lover

Reputation: 239
  • View blog
  • Posts: 1,073
  • Joined: 25-June 12

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 08:30 AM

Ok. Thanks modi, I'll give it a try! ^^
Was This Post Helpful? 0
  • +
  • -

#14 modi123_1   User is offline

  • Suitor #2
  • member icon



Reputation: 14929
  • View blog
  • Posts: 59,631
  • Joined: 12-June 08

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 30 October 2013 - 08:32 AM

No prob. As I said - it works well for me..
Was This Post Helpful? 1
  • +
  • -

#15 AnalyticLunatic   User is offline

  • D.I.C Lover

Reputation: 239
  • View blog
  • Posts: 1,073
  • Joined: 25-June 12

Re: ASP.Net MVC 4 App: Best way to encrypt Web.Config files?

Posted 01 November 2013 - 08:27 AM

Ok Modi, based off of this page, I did the following:

  • Went to "All Programs" -> "Microsoft Visual Studio 2012" -> "Visual Studio Tools" -> "Open VS2012 x64 Native Tools Command Prompt".
  • Typed:
    aspnet_regiis -pe "connectionStrings" -app "C:/FirstName-Projects/ProjName-TEST/SolutionName/Web.config" -prov "DataProtectionConfigurationProvider"
    

  • Received: "The value used in the -app parameter must begin with a forward slash."


I'm guessing I did something wrong in my attempt to call the Web.config file down through my C: directory?

I then read through to the part of Step 3.4 and also tried the -pef by using
aspnet_regiis -pef "connectionStrings" C:FirstName-Projects/ProjName-TEST prov "DataProtectionConfigurationProvider"
which resulted in a full listing of all registration options I can provide.

Can you give me some input on what to use based on the Web.config file being in C:/FirstName-Projects/ProjName-TEST/SolutionName/Web.config?

This post has been edited by AnalyticLunatic: 01 November 2013 - 08:44 AM

Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2