Implementing a Protected Configuration Provider
Protected configuration enables you to encrypt sections of an ASP.NET application's Web.config file in order to protect sensitive information used by the application. This can improve the security of your application by making it difficult for an attacker to gain access to the sensitive information even if an attacker gains access to your Web.config file. ASP.NET includes two protected configuration providers that can be used to encrypt sections of a Web.config file:, which uses the to encrypt configuration sections, and , which uses the Windows Data Protection API (DPAPI) to encrypt configuration sections.
In some cases, you might need to encrypt information using an algorithm other than those available with the RSA or DPAPI providers. In that case, you can build a custom protected configuration provider to be used by ASP.NET.
Required Classes for Protected Configuration Providers
To implement a protected configuration provider, you create a class that inherits theabstract class from the namespace. The ProtectedConfigurationProvider abstract class inherits the abstract class from the namespace, so you must implement the required members of the ProviderBase class as well. The following tables list the properties and methods that you must implement from the ProviderBase and ProtectedConfigurationProvider abstract classes. To see an implementation of each member, see .
Required ProviderBase Members
Sets property values for the provider instance, including implementation-specific values and options supplied in the application configuration.
Takes as input the name of the provider and aof configuration settings.
Required ProtectedConfigurationProvider Members
Performs the encryption. Takes as input anobject containing the configuration section to be encrypted. For example, if the configuration section to be encrypted is the connectionStrings section, the XmlNode object represents XML data similar to the following example.
The Encrypt method encrypts thevalue of the XmlNode object and returns an XmlNode object in which an EncryptedData element is the root element, as shown in the following example:
<EncryptedData> <!-- encrypted contents --> </EncryptedData>
The format of the contents of the EncryptedData element is determined by your implementation. When the element is decrypted, ASP.NET will pass an XmlNode object to themethod, where the EncryptedData element is the root element.
Performs the decryption. Takes as input an XmlNode object containing the EncryptedData element of an encrypted configuration section. For example, if the connectionStrings section is the configuration section that was encrypted, the XmlNode object represents XML data similar to highlighted XML in the following example.
<connectionStrings configProtectionProvider="CustomProvider"> <EncryptedData> <!-- encrypted contents --> </EncryptedData> </connectionStrings>
The Decrypt method decrypts the contents of the XmlNode object and returns an XmlNode object that represents the decrypted contents of the EncryptedData XmlNode object. For example, if the connectionStrings section was encrypted, the Decrypt method returns an XmlNode object with XML data similar to the following example.
For an example custom protected configuration provider that uses theclass to encrypt and decrypt sections of a Web.config file, see .