BenkoBlog

Confessions of an Evangelist

Cloud Tip #5-Secure your settings in Web.config with Encryption

In Windows Azure and especially with SQL Azure we need to store passwords to access things. I wanted to show how you can encrypt the web.config file by adding code to the global.asax file. The cool part of this is that using this technique you can secure application specific settings like connection strings and other data in the unlikely event that someone is able to get a copy of the configuration file (like by copying it to a thumb drive from the host machine or something similar).

The basic logic is to create a variable that points to a configuration section, then checking that the section is protected (i.e. encrypted). If it isn't, then call the ProtectSection method to encrypt the contents. The server uses the local DPAPI (Data Protection API) to encrypt the configuration section with a machine specific key, so only that machine can decrypt the contents. The code to add to the global.asax.cs file in the Application Start event for this is:

protected void Session_Start(object sender, EventArgs e) 
{ 
    EncryptSection("appSettings"); 
} 
     
private void EncryptSection(string sSection)
{
    Configuration config = System.Web.Configuration
                             .WebConfigurationManager
                             .OpenWebConfiguration
                             (Context.Request.ApplicationPath);

    ConfigurationSection configSection =
        config.GetSection(sSection);

    if (!configSection.SectionInformation.IsProtected)
    {
        configSection.SectionInformation.ProtectSection
        ("DataProtectionConfigurationProvider");
        config.Save();
    }
}

Happy Coding!

Digg This
Comments are closed