How to encrypt Cryptography related info saved in web.config?

Topics: Cryptography Application Block, Security Application Block
Aug 14, 2011 at 3:09 PM


I am newbie to Enterprise Library and using its Cryptography module to (de)encrypt some information before saving in database.

Using "Enterprise Library Configuration Tool", I have created an encryption block that implements RijndaelManaged for the purpose. During the process, I created a new key file which is saved in my local file system.

Everything works fine.

Now, when I open Web.Config (I am working on ASP.Net Website), I can see all the cryptography related information saved in plain English. Also, a reference to the location where the Key file is saved is present.

Now, I have the following concerns.

  1. Is there any way to encrypt all this information present in Web.Config (like we do for ConnectionStrings)?
  2. I'll be using Shared hosting to host website, so, do I need to FTP the KEY File as well? What all changes do I need to make with regard to KEY file whose reference is present in Web.Config. 


Aug 15, 2011 at 10:07 AM


You can encrypt the configuration by using the Protection Provider:


 On your second question, I believe you don't have to do something to the key assuming that it is deployed on the same server where your web application resides.


Noel Angelo Bolasoc
Global Technologies and Solutions
Avanade, Inc.
Contact Us

Aug 16, 2011 at 4:29 PM

Thanks for reply.

Regarding my second query, I change the name of KEY file to something else and got the following error.

System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> Microsoft.Practices.ServiceLocation.ActivationException: Activation error occured while trying to get instance of type CryptographyManager, key "" ---> Microsoft.Practices.Unity.ResolutionFailedException: Resolution of the dependency failed, type = "Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.CryptographyManager", name = "(none)".Exception occurred while: Calling constructor Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.SymmetricAlgorithmProvider(System.Type algorithmType, System.String protectedKeyFileName, System.Security.Cryptography.DataProtectionScope protectedKeyProtectionScope, Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.Instrumentation.ISymmetricAlgorithmInstrumentationProvider instrumentationProvider).Exception is: DirectoryNotFoundException - Could not find a part of the path 'C:\MyProhect\EncKey.key'.

It looks, the KEY file is required. So, I am a little concerned about security. If I place KEY file on shared server (under app_code or app_data) and someone gets access to it, (s)he will be able to retrieve all the encrypted information.

Is there a way to prevent it? I am not really in favor of putting Key file on server.

Aug 17, 2011 at 4:38 AM

Yes, that is the expected behavior since the Cryptography Application Block requires the Key file. The encrypted data is not stored on the key file but the key (in hexadecimal) itself which is used both in encryption and decryption process. The key data stored on key file is encrypted by design, so unauthorized users can't easily utilize it.


Noel Angelo Bolasoc
Global Technologies and Solutions
Avanade, Inc.
Contact Us