1

I'm planning to encrypt the connection strings of a web configuration file belonging to an application which will be run in a server farm. I am aware of the aspnet_regiis command line tool to encrypt the sections using it. But I have some doubts, which I expect you guys can solve.

My question is that if I encrypt the connectionstrings and the web.config file is stolen by some hacker, will he be able to decrypt it using the same command line with -pe switch? The same is shown below.

  1. My Servers, My Web.Config, Not Encrypted (I created pure web config)
  2. My Servers, My Web.config, Encrypted (I encrypted web config)
  3. Someone's server, My web.config, Encrypted (Someone stole my web config)

Is he able to decrypt using the same commandline like

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"
Ananthan Unni
  • 1,304
  • 9
  • 23

1 Answers1

0

Jon Galloway has an interesting method of handling this situation on his blog: http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx

The post is referring to an app.config, but the same should apply to a web.config as well.

EDIT: I guess that I answered before fully realizing what you were asking. My apologies if the referenced blog is of no assistance.

EDIT2: In response to the actual question, the answer is maybe. The hacker would be able to decrypt your web.config if he had access to the encryption key information. According to MSDN (http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx):

To decrypt and encrypt a section of the Web.config file, the ASP.NET process must have permission to read the appropriate encryption key information.

dub stylee
  • 3,252
  • 5
  • 38
  • 59
  • Hi Dub, Thanks for your help. But I don't think this article addresses my requirement. Actually I am looking for a kind of confirmation on the question that if I encrypt using aspnet_regiis command line, will it be vulnerable for decryption if some random guy steals the web config who is aware of this command line option. Do you have any idea on it maybe? Is this commandline approach be taken to prevent the risk of the web config file being stolen (to the worst case)? – Ananthan Unni Jan 22 '14 at 00:19
  • See my second edit for the answer to the original question. Sorry for jumping the gun! :) – dub stylee Jan 22 '14 at 00:24