Share via

Encrypting Configuration Data

  • Article
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
The latest Enterprise Library information can be found at the Enterprise Library site.

You can encrypt and decrypt the data in a configuration file's configuration sections. A configuration section contains the configuration information for an application block. The configuration tool allows you to select from the encryption providers that are included in the Machine.config file. Typically, these are the DataProtectionConfigurationProvider, which uses DPAPI, and the RsaProtectedConfigurationProvider, which uses RSA.

If the encrypted configuration file is going to be on only a single server, you can use the DataProtectionConfigurationProvider. If you want to deploy the same encrypted configuration file on multiple servers in a Web farm, you should use the RsaProtectedConfigurationProvider. This provider makes it easy for you encrypt the data on one server computer and then export the RSA private key needed to decrypt the data. You can then deploy the configuration file and the exported key to the target servers, and then re-import the keys.

To encrypt a configuration section

  1. Open one of the configuration tools.
  2. Open an existing configuration file or create a new one.
  3. Click the name of the application block whose configuration information you want to encrypt.
  4. In the Properties pane, click ProtectionProvider.
  5. Select either DataProtectionConfigurationProvider or RsaProtectedConfigurationProvider.

All the settings for the providers, such as where keys are stored, are also in the Machine.config file. You cannot change this file with a configuration tool. Instead, you must modify the file using a text editor.

To decrypt a configuration file, simply open it in the configuration tool. The file is automatically decrypted.