2

When working with asp.net we can encrypt parts of the asp.net console application's app.config file by following these steps:-

1- Rename the app.config to web.config >> run this command >>

ASPNET_REGIIS -pef "<<customAppSettingsGroup>>/<<customAppSettings>>" "C:\projects\MSE\MSE\MSE"

2- Rename the web.config back to app.config....

Now inside asp.net core we do not have app.config, instead we have the appsettings.json.. so my question is if we can encrypt parts of the appsettings.json using the above approach? If the answer is No, then what are the approaches to encrypt sections of the appsettings.json?

Thanks

John John
  • 1
  • 72
  • 238
  • 501
  • @RyanWilson you mean i can add app.config file to my .net core application? – John John Apr 29 '21 at 17:27
  • 1
    yes. you can add any type of file you like. But since you are trying to encrypt/decrypt sections of it using the ASP.Net tool, I'm not sure that this will work for you. There are multiple posts on here about doing something similar to the appsettings.json file. [encrypted-configuration-in-asp-net-core](https://stackoverflow.com/questions/36062670/encrypted-configuration-in-asp-net-core) – Ryan Wilson Apr 29 '21 at 17:35
  • @RyanWilson it is not clear what is the actual replacement for `ASPNET_REGIIS ` in .net core? – John John Apr 30 '21 at 23:04

1 Answers1

1

The short answer is NO you should not use ASPNET_REGIIS anymore. Unless you want to decrypt it manually.

For development environment, you should use the Secret Manager tool as described Here

Initialize

dotnet user-secrets init

Set a secret

dotnet user-secrets set "Movies:ServiceApiKey" "12345"

For production environment the recommended approach is Azure vault

Assuming you have an Azure vault ready

Set your secrets

az keyvault secret set --vault-name {KEY VAULT NAME} --name "SecretName" --value "secret_value_1_prod"
az keyvault secret set --vault-name {KEY VAULT NAME} --name "Section--SecretName" --value "secret_value_2_prod"  

Azure-hosted apps use this instructions

If you host your app outside azure you must follow this instructions

PS: If your application won't load keys in runtime, only on start the free tier is more than enough.

There is a third option to create a custom provider as you can check here.

OR

This article from visual studio magazine is about a custom configuration provider with AES encryption

Fourth option:
If you are willing to use docker you can rely on the Docker Swarm secrets as shows in this article

Alexrgs
  • 831
  • 8
  • 20
  • 1
    i want to use a simpler approaches similar to the ASPNET_REGIIS .. so can i still use ASPNET_REGIIS inside asp.net core? – John John May 03 '21 at 21:26
  • Not in the way you used it to. ASPNET_REGIIS is used as just an encryption tool it has no knowledge of the new appsetting.json structure, so If you are willing rename the file to encrypt and decrypt the whole file manually every time before your app runs. it's possible but not practical or safe. If you don't want to use Azure. Your best bet is a custom configuration provider check [this article](https://visualstudiomagazine.com/articles/2019/09/26/decrypting-config-settings.aspx) – Alexrgs May 04 '21 at 15:45
  • 1
    Yeah I also believe writing your own configuration provider it's the thing that makes most sense. Azure keyvault is nice but not everyone is on that, also maybe you can't afford the vendor lock in. – jpgrassi May 05 '21 at 09:43
  • @Alexrgs but i am not sure how i will integrate this encryption provider with my .net core application? – John John May 06 '21 at 11:24
  • @johnGuit Once you have your custom config provider you should change your startup to use the new provider. something like this ` public Startup(IConfiguration configuration, IWebHostEnvironment env) { IConfigurationBuilder encryptingBuilder = new ConfigurationBuilder() .AddJsonFile("appsettings.json") .Add(new EncryptedConfigurationSource(key, iv)) .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true); IConfiguration cfg = encryptingBuilder.Build(); ` you can use CyberChef to encrypt – Alexrgs May 06 '21 at 17:37
  • @Alexrgs but using the ASPNET_REGIIS i am able to encrypt and decrypt.. not sure if i can use the same approach .. – John John May 07 '21 at 16:34
  • @johnGu unfortunately you cannot use ASPNET_REGIIS, your app have no idea how to decrypt your settings, as the settings(just a file) are read direct on the app. I should have been more clear on my answer. – Alexrgs May 13 '21 at 20:32