Search Wiki:

One of the primary places that sensitive information is stored in an ASP.NET application is the Web.config file. To help secure information in configuration files, ASP.NET provides a feature called protected configuration, which enables you to encrypt sensitive information in a configuration file. The recommended approach is to use either of the protected configuration providers included in the .NET Framework (DpapiProtectedConfigurationProvider or the RsaProtectedConfigurationProvider [1]).

Unfortunately, these two protected configuration providers do not work as such on Windows Azure. To use the RsaProtectedConfigurationProvider in a web farm scenario, requires transferring an RSA key pair in an XML file to each of the servers in the web farm and then importing the key to a key container. This XML file is supposed to be removed from the servers after importing the key [2]. On Windows Azure, since the account running the Web role doesn’t have permissions to delete files in the web root, it is not possible to remove this XML file.

This code sample is a custom protected configuration provider [3] that can be used to encrypt configuration settings in a Web.config file deployed on Windows Azure. The Personal Information Exchange format (PFX, also called PKCS #12) enables transfer of certificates and their corresponding private keys from one computer to another. This custom protected configuration provider is similar to the RsaProtectedConfigurationProvider. The difference being that instead of transferring the RSA key pair in an XML file, it relies on this transfer to occur using a certificate in .pfx format (using the Windows Azure Certificate Store [4]).

How To: Encrypt Configuration Sections in ASP.NET applications hosted on Windows Azure


[1] Encrypting Configuration Information Using Protected Configuration

[2] How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

[3] Implementing a Protected Configuration Provider

[4] Working with the Windows Azure Certificate Store
Last edited Aug 18 2010 at 7:50 PM  by varunsh, version 22
PaulEnfield wrote  Aug 18 2010 at 11:06 PM  
This sample represents the best practice for securing sensitive configuration settings such as SQL Azure connection strings, WAS access keys, etc. This sample is a MUST for securing any Windows Azure application.

richiehere wrote  Aug 26 2010 at 7:54 PM  
Very good work Varun!

KB2007 wrote  Feb 27 2011 at 5:24 PM  
Hi, I am unable to encrypt the web.config. It is giving me following msg in VS command prompt

"Encrypting configuration section...
The protection provider 'CustomProvider' was not found.

Unable to understand why it doesnt find the CustomProvider. Also on adding thumbprint in the web.config for the CustomProvider , the intellisense doesn't recognize the attribute . Is it OK ?

Page view tracker