.NET 2.0 encryption web.config/app.config options?

Situation: 13 servers containing both ASP .Net web sites and .NET apps. Servers are broken up in Developemnt, Test, and Production types.

Issue: Need to encrypt all app.config and web.config files.

Currently we are using .NET 1.1, so I had developed (test working, not yet deployed) a shared (GAC) utility that would be responsible for providing an interface to allow the encryption (DPAPI + Second Entropy) of information for the developer to manually place in each web.conf/app.config file during development. The backend of this utility was referenced by the *.config files in decrypting values on all web site/applications during start up (then stored in a session variable\Static variable).

The department has now decided to migrate to .NET 2.0, and having read the new way of encrypting web.config (aspnet_regiis.exe) and app.config (ProtectSection()), I am assuming a way of encrypting ASP .NET 2.0 and .NET 2.0 apps would be to simply create an utility whereby the developer, through a user interface, selects the location of the *.config file to encrypt, to which the utility will either execute aspnet_regiis.exe or call ProtectSection() depending whether its a web.config or app.config file. As we migrate apps from Dev->Test->Prod for development and maintenance, I was thinking of using RSA encryption and using the export key (decryption key) from the encryption key to place on all our servers (so the encryption process need only be done on the development server).
Being new to this (.NET in general and .NET 2.0), does this sound practical? 

1/18/2007 2:35:38 AM
asp.net.security 27051 articles. 1 followers. Follow

3 Replies

Similar Articles

[PageSpeed] 8
Get it on Google Play
Get it on Apple App Store

Run following from VS command prompt:

aspnet_regiis -pe to encrypt web.config file
aspnet_regiis -pd to decrupt web.config file

Try aspnet_regiis -? for all arguments.

Hope this helps.



1/18/2007 4:25:45 AM

jae, excuse my noobness and I am certainly not ungrateful for your attention\contribution, but I don't see how your question applies to my issue?

If you read my issue it involves both web.config and app.config (aspnet_regiis does not work). Also I would have to initially run (only for the APS .NET web sites) the command the number of websites on each on each of the 13 servers, and then 3 times (Dev, Test, Prod).each time an applpication\web site is developed or *.config file is changed. I am after a more feasable solution, akin to the one I had suggested.
Sorry if my initial post was somewhat misleading or written poorly.

1/18/2007 5:50:26 AM

My apologies.  I don't think I fully understood your question.



1/18/2007 6:13:09 AM

Similar Artilces:

web.config problems when upgrading from .NET 2.0 Beta to .NET 2.0 release version
We uninstalled .NET 2.0 Beta and replaced it with .NET 2.0 release version.  And it messed everything up.  All applications now give weird errors indicating the lack of web.config files, despite the fact that they already have web.config files in place.  For example, the following error occurs even though the web.config file has <customErrors="Off">: Runtime Error Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for securit...

Bad web.config in AJAX.NET 1.0 under .NET 2.0 Express
My setup is MS.NET v2.0 with the C# and Web Express editions of 2005. I also installed the AJAX 1.0 release with the respective toolkit as indicated in the AJAX.NET site. However, when I create a new project I am presented with the usual bare bones default.aspx and the web.config. However the web.config shows a lot of warnings and errors.One of them was being that the "requiredPermission" (or something like that) attribute was not recognized. Somewhere on the net there is a post of a correction to the DotNetConfig.xsd schema file in VS.2005 so I used it and it got rid of THAT warning.&n...

Encrypting web.config with RSA [.NET 2.0]
If I use aspnet_regiis and its appropriate flag settings to generate a key, encrypt the web.config file of application 'A' on my Dev server with that key, export (and inject) the key and application 'A' to the Test server - everything should work ok on both servers (ie decryption of web.config file by the app). Now if I then create application 'B' on my Dev server using the same encryption key used to encrypt application 'A' and then export application 'B' to my Test server - I am assuming it should work ok on the Test server given the decryption key already on the Test server is from the en...

Encrypting web AND window application config files (.NET 2.0)
What would be the easiest way to encrypt both web and windows application config files (all being on the one server)? I know about the 'aspnet_regiis' command, but as it doesn't do application config files I was wondering if a single GAC shared assembly could be used to initially encrypt  (an interface for encrypting, with developer then manually implementing) and decrypt the data.TIA  I'm not sure I follow you.  Still hope this helps: http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspxZhao Ji MaSincerely,Microsoft Online Community Support“Please remember to click...

Web.Config Inheritance and Mixing .Net 1.1 and 2.0 Apps
The problem I have with the automatic inheritance of Web.Config settings.  I have an application in the root directory of my website, and I have just converted this to a .Net 2.0 application - and there are the .Net 2.0 specific directives in it's Web.Config file.  But, there are quite a few .Net 1.1 applications in several of the subdirectories - and when they start, they automatically read the root folder's Web.Config - which contains 2.0 specific stuff, and it objects. How can I stop this automatic inheritance behavior?  Can a <location path=".">...

.net 2.0 Security Web.Config problem (possible IIS issue?)
I have a website I developed using asp.net (vb) that has a protected content sections, users and roles.  The established roles are 'Admin', 'Customer', and 'Employee' The protected directories are the /admin, /employee, and /customer respectively.  User's assigned to the 'Admin' role should be granted access to all three sections.  User's with the 'Employee' role should only be granted access to the /employee section, and user's with the 'Customer' role should only be allowed to access the /customer directory.  ...

.Net 2.0 Web application using Vb.net is unable to create object of another dll writen in C# .net 2.0
Hi, I habe created one ASP.net web application using Vb.net which is adding reference of dlls written in C# and .net 2.0. But whenever trying to create object of referencing dll, it is throwing error :Object reference does not set to an object. But, locally it is working fine,. In the server i have deployed the .aspx files and dll files in the bin. There were already an web.config in the server which is of .net 1.1. But checked it is retrieving value for that web.config correctly. Should i have to deply any other files and if not what can be the solution for this? Please help. Thanks, So...

Differences between .net 1, .net 1.1, .net 2.0 and .net 3.0 #2
Hi, This seems to be a common question, but i havent got an answer yet:(Can, any one please explain me the differences between these versions.If you keep your feet firmly on the ground, you'll have trouble putting on your pants! There are too many differences for one email - - from 1.0 to 1.1 (not a whole lot of real change, other than fixes, at least compared to 1.1 to 2.0) With 2.0, there were many new declarative controls, with many new ideas added in With 3.0, it's a superset of 2.0 - instead of replacing the installation completely, it just 'added on' new functionality - I would...

Access .Net 2.0 Application from .Net 2.0 Web Site
I need to populate a specific form in a .Net desktop application from a .net web application.  Is there an easy way to go about this? Hi, Based on my understanding, you want to start an executable application from your ASP.NET websit, right? We can invoke Process.Start method (http://msdn.microsoft.com/en-us/library/system.diagnostics.process.start.aspx) to launch an executable application from ASP.NET application. Note: Please keep in mind, the ASP.NET application is running on the server, so it will start the executable application that exists in the server.   I look...

Web Server Config with .NET 2.0
I know you only need to install the .NET 2.0 framework but what will it hurt to also install VS 2005 on your Web App server. Yea, yea, I know, all the network admin guys and hard core guys will tell you because of server resources...but what if your  PC crashes....or what about an emergency.  I think sometime bending the rules such as not installing Office, etc. on a server isn't that big of a deal, as long as you use it as a last resort to save your ass in a situation where you would have wished you did install that stuff on your server afterall. Thoughts?When is Microsoft going...

[PATCH lib/Net/Config.pm, MANIFEST, t/lib/Mock/Socket.pm, lib/Net/Config.t] Add Tests for Net::Config
Here's a test suite for Net::Config. In the process of writing this, I've fixed an apparent bug that prevented single values from becoming array references when necessary. I think it's right, but perhaps Graham should weigh in on this. In the process, with some advice from perl-qa, I've added a mock object so the test could control the output of Socket::inet_ntoa() and Socket::inet_aton(). t/lib/Mock/ seemed like as good a place as any. I'm happy to rework this patch if it personally offends anyone whose opinion matters. :) -- c --- lib/Net/~Config.pm S...

Sharing cookie between .NET 1.1 and .NET 2.0 web app
I have two servers A and B.  A hosts .NET 1.1 web apps, while B hosts .NET 2.0 web apps.  I have a common login page written in .NET 2.0 (thus it's on server B).  In order to share the cookie, I set the machine key attributes (validation and encryption) of all apps to the same keys, and set all .NET 2.0 web apps to use decryption="3DES".  But for some reasons, my .NET 1.1 still cannot read the cookie generated by the .NET 2.0 login page.  Anyone has similar problem before?  Am I missing anything? Thanks. WenWen I am afraid you can only share t...

How to read configSection from Web.config in .NET 2.0
Hi,  We are migrating our project from .NET 1.1 to .NET 2.0 framework. We were using enterprise library 1.1 earlier to read the configuration of the <configSections> from our web.config. The method used to read section was ConfigurationManager.GetConfiguration("SectionName"); Now we trying to access the same method using Enterprise Library 2.0, but that are not available. Even .NET 2.0 framework has now got more API’s in System.Configuration which can be used but I have not been able to read to Config section of Web.Config using those methods. Below I have...

Weird web.config bug in .net 2.0?
I've got a really weird error occuring on one web server. The message is "The entry "myConnection" has already been added." It seems to be thrown by the roles engine. What is odd is I only have 1 connection string defined in the web.config and this identical code has been untouched and running for the past few days - it also runs fine on any other virtual directory I copy it to, just not this one anymore?   I've tried an IIS reset with no luck, even replaced the web.config, no change. anyone ever seen this? thanks, -c Just something to add here. I figured out that my web.config ...

Web resources about - .NET 2.0 encryption web.config/app.config options? - asp.net.security

Encryption - Wikipedia, the free encyclopedia
For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible ...

REPORT: Facebook’s Outdated Web Encryption Technology May Have Enabled Prism
Facebook still uses encryption keys with 1,024-bit lengths, while the industry standard used by Internet companies — including Apple, Microsoft, ...

Search Twitter - encryption
Sign in Sign up Search Refresh Tech Investor News @ TechInvestNews 2m Secusmart puts its BlackBerry encryption chip to work on the desktop (Netflash) ...

Symantec Mobile Encryption for iOS for iPhone, iPod touch, and iPad on the iTunes App Store
Get Symantec Mobile Encryption for iOS on the App Store. See screenshots and ratings, and read customer reviews.

ProtonMail: banning encryption won't stop terrorism
... similar atrocities happening in future. As well as calls for an increase in online surveillance , politicians have also suggested that encryption ...

Apple, Google, Facebook and Microsoft warn weaker encryption makes the bad guys stronger
... stance on encrypted Internet-connected products and services. But government officials aren’t the only ones to voice concerns about encryption. ...

ISIS Is Using Everything From Encryption To PlayStations To Avoid Being Spied On
But the larger problem, according to intelligence officials, is what happens when ISIS stops using technology at all.

Feinstein: The Achilles heel in the internet is encryption - Videos - CBS News
Senate Intelligence Committee member Sen. Dianne Feinstein, D-California, says that the biggest obstacle the intelligence community faces is ...

Apple and Microsoft's advocacy group is against encryption backdoors
... Cook's lead, the advocacy group behind Apple, Google, Microsoft and plenty of other big tech firms has come out against calls to weaken encryption, ...

More Than 80% of Mobile Apps Have Encryption Flaws, Study Finds
More than 80 percent of mobile devices have encryption flaws, while an application written in any of a trio of scripting languages—including ...

Resources last updated: 12/8/2015 7:53:46 AM