app.config Encryption

Topics: Cryptography Application Block, Data Access Application Block, General discussion, Security Application Block
Nov 6, 2007 at 2:53 PM
(Entlib 3.1)
Hi, I'm trying to encrypt sections of my app.config file with either "RsaProtectedConfigurationProvider" or "DataProtectionConfigurationProvider". It works well on my machine but it can't be decrypt on target machine. I know that it is possible to export a Rsa Key but seems to work only with ASP (since we need to register the key with Aspnet_regiis.exe on the server). How should I proceed to encrypt an App.config file for a Windows Form application and make it readable on target machine where the application is distributed ?


Nov 6, 2007 at 3:01 PM
Hi Sylvain,

The procedure for encrypting configuration files is the same, regardless of the kind of application. You do need to use the aspnet_regiis.exe tool to export and import the key containers (as described in Unfortunately, the existing msdn documentation does a poor job describing how to use encryption for non web applications.

Did you face any specific issues when trying to use aspnet_regiis?

Nov 6, 2007 at 5:09 PM
Thanks Fernando for the quick reply.

The issue I have is that I don't know how to export the key that is used to encrypt my app.config file.

Here's the steps to reproduce what i've done so far :

1- Open "Enterprise Library Configuration" tool
2- Create a New application
3- Add the Data Access Application Block
4- Set the connection string property
5- Set the protectionProvider to "RsaProtectedConfigurationProvider"
6- Save the app.config file
7- Add the app.config file to my project

My understanding is that the Rsa key is machine specific which means that there's no problem decrypting the app.config file located on my machine since the crypting was done with it. But if I want to deploy the crypted app.config file, I also need to deploy the key. The problem is that I don't know how to get that key. I also need to know how to use that key (once I get it...) on the target machine to make my application decrypt the app.config file.

Thanks for your help.

Nov 6, 2007 at 5:27 PM
Hi Sylvain,

Yo will need to use a new protected configuration provider configured for a new container, as described in the msdn article I linked above. Now, there's a catch: the config tool only knows about the providers defined in its configuration (the tool's), so adding the new provider declaration in the edited configuration file will not work at design time (but it will at runtime).

You can add the new provider to your machine.config file to make it available, or if you're using the standalone console to the tool's config file.

For more background information about key management you can refer to the msdn articles linked from the one above.

Hope this helps,
Nov 6, 2007 at 8:07 PM
Hi Fernando,

I understand that I need to use aspnetregiis.exe to create a new protected configuration provider. By reading the msdn articles you listed in your previous post, I've created a new RSA Key container named "Mykeys" and made it exportable with the following command (aspnetregiis -pc "MyKeys"–exp). Then came the part where I need to grant authority to access that new RSA key. The example shows how to grant the account "NT AUTHORITY\NETWORKD SERVICE" but in my case don't use ASP so granting this account don't make sense to me.

I did try to grant that account and also my account but when I get to the encryption part, I need to specify an Application (-app) and I don't know what to specify there.


Nov 6, 2007 at 8:21 PM

You must use aspnet_regiis to create, export and import key containers. You would create a new one in the machine where you author the config file, export it to a file and then import it in the target server. In the target server you would grant access to the key container to the account that will need to read the configuration.

Now, you can encrypt the configuration file with entlib's config tool or with aspnetregiis. In both cases you will need to declare a new configuration provider in the configuration file that will get its keys from the new key container; the msdn article shows a sample of such a provider. If you use the config tool, then you have the issue that the tool will not be able to use providers defined in the configuration file being edited, so you will need to declare this provider either on the machine.config file (next to the standard providers like "RsaProtectedConfigurationProvider") or the tool's own config file. If you use aspnetregiis, you would need to rename the config file to web.config and use the -pef switch; it's not pretty but it works.

Nov 7, 2007 at 6:06 PM
Hi Fernando,

I've been trying to encrypt my app.config file all day long and it still not working. There must be something that I don't get. I tought that encrypting an app.config file would be something that is done most of the time that the DAAB is used. What is the "best practice" in that scenario ?

The only way I found to encrypt the file is to add an InstallerClass to my project and to encrypt the app.config file on the target machine at installation time. This way, the encryption key used is the one that is located on the target machine but it is very easy for a user to decrypt that file (simply use Enterprise Library config tool).

Many thanks Fernando for your time