How To Encrypt / Protect Web.config Or App.config File



TODO:

Have you ever wanted to protect your web.config file, so that the appsettings and connectionstrings sections could not be read?  Below are 2 methods and a class level variable you can add to your code to protect your app.config or web.config.

 

SOLUTION:

 

private string LastErrorMessage = "";
        
/// <summary>
/// Protect the App.Config
/// </summary>
public void ProtectApplicationConfig()
{
    Configuration standardConfig = null;
    ConnectionStringsSection standardConnectionStringsSection = null;
    AppSettingsSection standardAppSettingsSection = null;

    try
    {
        standardConfig = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);

        // Get the connection strings section
        standardConnectionStringsSection = standardConfig.ConnectionStrings;
        standardAppSettingsSection = standardConfig.AppSettings;

        // Protect this section by using the DpapiProtectedConfigurationProvider a.k.a. DataProtectionConfigurationProvider
        if (!standardConnectionStringsSection.SectionInformation.IsProtected)
            standardConnectionStringsSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");

        // Protect this section by using the DpapiProtectedConfigurationProvider a.k.a. DataProtectionConfigurationProvider
        if (!standardAppSettingsSection.SectionInformation.IsProtected)
            standardAppSettingsSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");

        // Save the configuration section within protected data
        standardConnectionStringsSection.SectionInformation.ForceSave = true;
        standardAppSettingsSection.SectionInformation.ForceSave = true;

        standardConfig.Save();
    }
    catch (Exception x)
    {
        LastErrorMessage = x.Message;
    }
    finally
    {
        standardConfig = null;
        standardConnectionStringsSection = null;
        standardAppSettingsSection = null;
    }
}

/// <summary>
/// Protect the Web.Config
/// </summary>
public void ProtectWebConfig()
{
    Configuration standardConfig = null;
    ConnectionStringsSection standardConnectionStringsSection = null;
    AppSettingsSection standardAppSettingsSection = null;

    try
    {
        standardConfig = WebConfigurationManager.OpenWebConfiguration("~");

        // Get the connection strings section
        standardConnectionStringsSection = (ConnectionStringsSection)standardConfig.GetSection("connectionStrings");
        standardAppSettingsSection = (AppSettingsSection)standardConfig.GetSection("appSettings");

        // Protect this section by using the DpapiProtectedConfigurationProvider a.k.a. DataProtectionConfigurationProvider
        if (!standardConnectionStringsSection.SectionInformation.IsProtected)
            standardConnectionStringsSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");

        // Protect this section by using the DpapiProtectedConfigurationProvider a.k.a. DataProtectionConfigurationProvider
        if (!standardAppSettingsSection.SectionInformation.IsProtected)
            standardAppSettingsSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");

        // Save the configuration section within protected data
        standardConnectionStringsSection.SectionInformation.ForceSave = true;
        standardAppSettingsSection.SectionInformation.ForceSave = true;

        standardConfig.Save();
    }
    catch (Exception x)
    {
        LastErrorMessage = x.Message;
    }
    finally
    {
        standardConfig = null;
        standardConnectionStringsSection = null;
        standardAppSettingsSection = null;
    }
}

 

 

NOTES:

The config file can ONLY be used on the machine it is protected on.  Once a file is protected, trying to copy the protected file to another machine and use it will not work.