All DevCenters
MSDN Home
Windows Live ID
MSDN Archive:   MSDN Archive Home   |   Browse Archive   |   Share Code   |   Help and FAQs
Home
Downloads
Discussions
People
License
 
Comments | Print | Page Info | Change History (all pages)
Search Wiki:
Home
Description

One of the primary places that sensitive information is stored in an ASP.NET application is the Web.config file. To help secure information in configuration files, ASP.NET provides a feature called protected configuration, which enables you to encrypt sensitive information in a configuration file. The recommended approach is to use either of the protected configuration providers included in the .NET Framework (DpapiProtectedConfigurationProvider or the RsaProtectedConfigurationProvider [1]).

Unfortunately, these two protected configuration providers do not work as such on Windows Azure. To use the RsaProtectedConfigurationProvider in a web farm scenario, requires transferring an RSA key pair in an XML file to each of the servers in the web farm and then importing the key to a key container. This XML file is supposed to be removed from the servers after importing the key [2]. On Windows Azure, since the account running the Web role doesn’t have permissions to delete files in the web root, it is not possible to remove this XML file.

This code sample is a custom protected configuration provider [3] that can be used to encrypt configuration settings in a Web.config file deployed on Windows Azure. The Personal Information Exchange format (PFX, also called PKCS #12) enables transfer of certificates and their corresponding private keys from one computer to another. This custom protected configuration provider is similar to the RsaProtectedConfigurationProvider. The difference being that instead of transferring the RSA key pair in an XML file, it relies on this transfer to occur using a certificate in .pfx format (using the Windows Azure Certificate Store [4]).

How To: Encrypt Configuration Sections in ASP.NET applications hosted on Windows Azure

References

[1] Encrypting Configuration Information Using Protected Configuration
http://msdn.microsoft.com/en-us/library/53tyfkaw(v=VS.80).aspx

[2] How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://msdn.microsoft.com/en-us/library/ff650304.aspx

[3] Implementing a Protected Configuration Provider
http://msdn.microsoft.com/en-us/library/wfc2t3az.aspx

[4] Working with the Windows Azure Certificate Store
http://msdn.microsoft.com/en-us/library/ee758713.aspx
Last edited Aug 18 2010 at 7:50 PM  by varunsh, version 22
Comments
PaulEnfield wrote  Aug 18 2010 at 11:06 PM  
This sample represents the best practice for securing sensitive configuration settings such as SQL Azure connection strings, WAS access keys, etc. This sample is a MUST for securing any Windows Azure application.

richiehere wrote  Aug 26 2010 at 7:54 PM  
Very good work Varun!

KB2007 wrote  Feb 27 2011 at 5:24 PM  
Hi, I am unable to encrypt the web.config. It is giving me following msg in VS command prompt

"Encrypting configuration section...
The protection provider 'CustomProvider' was not found.
Failed!"

Unable to understand why it doesnt find the CustomProvider. Also on adding thumbprint in the web.config for the CustomProvider , the intellisense doesn't recognize the attribute . Is it OK ?

Sign in to add a comment
Updating...
Page view tracker