A few days back, i was messing with encrypting different sections of web.config. I was doing it for the first time so learnt alot from it. I will list down what i thought that how it can be done, where i was wrong and why .Net does the what it does.

When i got the task first time i thought ok it seems to be an easy task as i have done encryption before. So, i started to think the algorithms that .Net provides us

  1. TripleDES
  2. MD5
  3. others …

With a little googling i found a code snippet of encrypting and i tried to follow the following method.

  1. Access the section and get the text from the XML using WebConfiguration class.
  2. Pass the text to any of the encryting algorithm.
  3. Replace the section with the encrypted section.
  4. Inject a decryption code somewhere in my code.

Seemed a good method, so i quickly jumped onto implementing it. My task was to encrypt the following sections

  1. Connection Strings
  2. Identity
  3. AppSettings

I made a small application and encrypted the sections. I was happy that 90% is complete. I opened the web.config in Visual Studio and i ran the code the web.config started giving errors. WHY ? Web.config is an XML file and things have to be in proper tags.

and anything like the following was not reasonable

So, what now ?

I thought that ok i will somehow manage the connectionstring and appsettings section but what about the identity section ?

  1. I never used that in my code ?
  2. When .Net pulls the identity section from the config file ?
  3. If it pulls the identity section on every resource access then how on earth i will know it ?
  4. How to override the identity section ?

and suddenly my 90 % went to 0%.

Then i tried to overide the identity section in the Application_Start event of the global.asax section but all in vain.

After trying everything, i posted on forum and someone helped me by saying that i can implement my own CustomProvider or i can use .Net built in providers.

I found  the following URL after googling.


It was a good read and complex too.

We went on to implement the encryption facility provided by .Net.

aspnet_regiis.exe is the tool that is used to encrypt and decrypt the sections of config file.

Please Note the following sections cannot be encrypted using aspnet_regiis.exe:

  • <processModel>
  • <runtime>
  • <mscorlib>
  • <startup>
  • <system.runtime.remoting>
  • <configProtectedData>
  • <satelliteassemblies>
  • <cryptographySettings>
  • <cryptoNameMapping>
  • <cryptoClasses>

To Encrypt you need to do the following Steps: (Run these commands in .Net command prompt)

1- Create a Key container using the following command (You can skip the step 1 and 2 as they are needed for the follow up articles)

aspnet_regiis -pc “CobraWeb” -exp

2- Add the details of your provider in web.config

3- Encrpyt your desired section by the following command.

aspnet_regiis -pe “system.web/identity” -app “/config1” -prov “MyProvider”

  •  “system.web/identity” is the section that i want to encrypt.
  •  “/config1” is the name of my IIS hosted application. / represents the root and config1 is the name of my application
  •  “MyProvider” is the name of the provider that you gave in the web.config in step 2.
4- Visit your web.config and you will see something like the following.

Great! We have done it. No need to worry about Decrypting this. .NET decrypts it automatically. Yeah Cool! Now feel free to use your application.

What we Learnt:

  1. Why build a complete new method to do encryption when .Net provides us ?
  2. If we still want to use our own method then implement the CustomProvider because .Net will decypt it using your code and the identity tag will not be a problem anymore.
  3. Encrpting web.config using the .Net built in providers.