OdeToCode IC Logo

Encrypting Identities In Web.config

Tuesday, May 30, 2006

Rob Howard wrote a piece for MSDN Magazine on “Keeping Secrets in ASP.NET 2.0”. The article is a good introduction on how to encrypt configuration data in web.config.

Something I’ve had to do which wasn’t immediately obvious to me was encrypt the identity section of web.config for a specific location. For example, let’s say I don’t want the username and password in the following web.config file to appear in plain text.

<?xml version="1.0"?>
<configuration>

  <identity impersonate="false"/>

  <appSettings/>
  <connectionStrings/>
  <system.web>
     <compilation debug="true"/>
     <authentication mode="Windows"/>
  </system.web>

  <location path="admin">
   <system.web>
      <identity impersonate="true"
            userName="***"
            password="***"
     />
   </system.web>
  </location>

</configuration>

From the command line, a first crack at encryption might look like the following …

>aspnet_Regiis -pef system.web/identity e:\[path to website]
Encrypting configuration section...
Succeeded!

… except the above command only encrypts the first identity section, not the identity section inside of the <location> tag. The only way to reach the second identity section is to specify a location parameter, which is not available with the –pef switch, but is available with the –pe switch.

>aspnet_regiis -pe system.web/identity -app /[vdir] -location admin
Encrypting configuration section...
Succeeded!

The difference between –pef and –pe is subtle. The –pef switch uses a physical directory path to find web.config, while –pe uses a virtual path.

All My Pluralsight Courses Pluralsight

K.Scott Allen OdeToCode by K. Scott Allen
RSS Subscribe
Follow Me Twitter
Search Search
About About
Learn C# Fundamentals Learn C#
Learn Web Development with ASP.NET Core Learn ASP.NET Core
Learn Azure Learn Azure