Part of securing an application involves ensuring that highly sensitive information is not stored in a readable or easily decodable format. Examples of sensitive information include user names, passwords, connection strings, and encryption keys. Storing sensitive information in a non-readable format improves the security of your application by making it difficult for an attacker to gain access to the sensitive information, even if an attacker gains access to the file, database, or other storage location.
One of the primary places that sensitive information is stored in an ASP.NET application is the Web.config file. To help secure information in configuration files, ASP.NET provides a feature called protected configuration, which enables you to encrypt sensitive information in a configuration file.
- Overview of Protected Configuration
- Specifying a Protected Configuration Provider
- Encrypting and Decrypting Configuration Sections
- Importing and Exporting Protected Configuration RSA Key Containers
- Understanding Machine-Level and User-Level RSA Key Containers
- Walkthrough: Encrypting Configuration Information Using Protected Configuration
- Walkthrough: Creating and Exporting an RSA Key Container
- Implementing a Protected Configuration Provider
- ProtectedConfiguration
- Securing ASP.NET Web Sites