Encrypting web.config elements is a good security feature. Web.Config elements can include passwords and important keys that we need to protect.Encrypting web.config elements is a good security feature. Web.Config elements can include passwords and important keys that we need to protect.
There are several methods to encrypt the web.config:
- Using a command line statement
- Using .NET code
- Configuring the web deployment
The easier solution, although limited, is configuring the web deployment. When we prepare the deployment of a web application, a file with PUBXML extension is included in the project. This file has the configuration for the application deployment in XML format.
Using a single additional configuration we can we can ensure the encryption of the connection string in the production web.config:
There are two limitations to this approach:
- This statement only encrypts the connectionStrings element. If you need to encrypt other sections, such as appSetings, this statement will not solve the problem.
- If the connection strings are in a different file, not in the web.config, this configuration doesn’t work, it can’t encrypt the connection string in a different file than web.config
The solution for these limitations would be an Exec element in the PUBXML file to execute a command line statement after the deployment.
For example, to encrypt the appSettings element we can use the following elements inside the PUBXML file: