« OWASP & WASC AppSec 2007 | Main | Why bug hunt should be for sale »

Encrypting .NET configuration files through code

"Encryption support for configuration files was added to the .NET Framework beginning with version 2.0. The .NET Framework libraries include full support for controlling encryption and decryption in code. I include examples in both VB.NET and C# to demonstrate the encrypting and decryption of configuration file sections.

Encrypting configuration data improves application security by making it difficult for users to view the data even if they access the configuration file. There are two protected configuration providers included with ASP.NET: RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider. RSAProtectedConfigurationProvider uses the RSACryptoServiceProvider to encrypt configuration sections using RSA public key encryption to encrypt and decrypt data. DPAPIProtectedConfigurationProvider uses the Windows Data Protection API (DPAPI) to encrypt configuration sections using the built-in cryptography capabilities of Windows. You can also create your own protected settings providers if needed. While a user will have a hard time dealing with encrypted data, ASP.NET has no problems. You can use both of these providers in ASP.NET code. "

Article Link: http://www.builderau.com.au/program/dotnet/soa/Encrypting-NET-con...


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!