Section level encryption of ASP.NET settings in IIS 7

Thursday, January 10, 2008

As you know, ASP.NET supports section level encryption for protecting its configuration. It supports both RSA, which is default, and DPAPI out of the box and it also provides a way to use a custom protection provider. (Click here for more information on using RSA. Click here for DPAPI.) The most commonly encrypted sections are appSettings, connectionStrings, identity and sesstionState.

While the initial encryption is done using the aspnet_regiis.exe, once the sections are encrypted, IIS 6 inetmgr allowed the users to view the encrypted settings in clear text (ie. the UI decrypted the sections) and it also allowed the users to edit the values and saved the settings encrypted (ie. the UI re-encrypted the sections).

Unfortunately, in IIS 7, the inetmgr does not know how to handle encrypted sections for ASP.NET settings. It is important to note that the section level encryption is still supported and it is as secure as it was in IIS 6. It is just that the manageability of the encrypted sections is not supported in the IIS 7 inetmgr. If the connection string section is encrypted in configuration, the user will see the following error when clicking on the connection string icon in IIS 7 inetmgr:

There was an error while performing this operation.
Details:
Filename: <path to configuration file>
Line number: <line number>
Error: Configuration section encryption is not supported

This was a consious design decision in IIS 7.

I still recommend the users to encrypt and secure the ASP.NET settings that they find sensitive. However, in order to view the values and/or update them, the users will first have to manually decrypt the sections using aspnet_regiis.exe, edit the file, and again re-encrypt the sections using aspnet_regiis.exe. The steps to encrypt and decrypt the sections using RSA and DPAPI are provided in the links above.

4 Comments

Hi Won,

Nice post - welcome to the IIS blogosphere :)

Thanks,

Mike

Mike Volodarsky - Thursday, January 10, 2008 7:08:15 PM

Hi Won,

Does that mean that applications I have developped with web.configs encrypted on IIS 6 will break when I deploy them on IIS 7?

Greetz,
Owin

Owin - Friday, January 11, 2008 3:31:19 PM

Owin

There are some breaking changes between IIS 6 and IIS 7, if your application is running in an integrated mode in IIS 7. You can read about the breaking changes at http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx We have tried to minimize these breaking changes and for most customers, they should not pose serious problems.

To answer your specific question around encrypted sections in web.configs, no they will continue to work in IIS 7. The runtime understands how to decrypt and understand the encrypted sections. What is not supported is the manageability of the encrypted sections via IIS 7 inetmgr. While the application will work properly, if you want to make configuration changes to the encrypted sections, you won't be able to do so using the IIS 7 inetmgr. You will have to use the workaround mentioned in the original post.

Thanks

Won

wonyoo - Sunday, January 13, 2008 8:48:39 AM

Hi,

So could yo provide some support as to how we specifically encrypt an attribute for IIS 7? The problem we have with this, is that we get an error in our event log for every request. could you possible provide a link to show how to du per attribute encryption of the web config?

I have tried to do:
C:\Windows\Microsoft.NET\Framework64\v3.5\aspnet_regiis.exe -pef "connectionStrings\add" c:\wwwroot
C:\Windows\Microsoft.NET\Framework64\v3.5\aspnet_regiis.exe -pef "connectionStrings/add" c:\wwwroot

dai-bok - Thursday, December 2, 2010 1:45:26 PM

Comments have been disabled for this content.