Securing Your Configuration Files

By KENT SHARKEY on 5/2/2008 2:14:28 PM

You frequently need to store important information in your application's configuration files, such as connection strings, user IDs or paths to files. Therefore, it would be a good idea to secure these files – or at least the sections needing security – to prevent unauthorized access. With Visual Studio 2005 and above, you can encrypt the contents of your configuration file – either from the command-line or your own code – and the resulting configuration file works normally.

Encrypting from the command-line

aspnet_regiis -pe "appSettings"
-app "/MachineDPAPI"
-prov "DataProtectionConfigurationProvider"

Encrypting a configuration section in code (C#)

Configuration config =
WebConfigurationManager.OpenWebConfiguration("/");
ConfigurationSection sect = config.GetSection("appSettings");
if (!sect.SectionInformation.IsProtected) {
sect.SectionInformation
.ProtectSection("RsaProtectedConfigurationProvider");
config.Save();
}

Using the encrypted configuration

String secretValue =
ConfigurationManager.AppSettings["secretStuff"];
this.CurrentValueField.Text = secretValue;

Encrypting your configuration file will protect you against unauthorized access if a bad employee or hacker reads the file, but it won't protect you if you forget the password used to encrypt it. Remember to store a "clean" version of the configuration file somewhere safe.

Application Development
Let Apptius save you time and money by adding functionality to your existing programs.
Microsoft Outlook
Apptius offers professional development services for custom Microsoft Outlook solutions
Microsoft Outlook Logo