This documentation is archived and is not being maintained.

ProtectedConfigurationProvider Class

Is the base class to create providers for encrypting and decrypting protected-configuration data.

Namespace:  System.Configuration
Assembly:  System.Configuration (in System.Configuration.dll)

type ProtectedConfigurationProvider =  
        inherit ProviderBase

The ProtectedConfigurationProvider type exposes the following members.

Protected methodProtectedConfigurationProviderInitializes a new instance of the ProtectedConfigurationProvider class using default settings.

Public propertyDescriptionGets a brief, friendly description suitable for display in administrative tools or other user interfaces (UIs). (Inherited from ProviderBase.)
Public propertyNameGets the friendly name used to refer to the provider during configuration. (Inherited from ProviderBase.)

Public methodDecryptDecrypts the passed XmlNode object from a configuration file.
Public methodEncryptEncrypts the passed XmlNode object from a configuration file.
Public methodEquals(Object)Determines whether the specified Object is equal to the current Object. (Inherited from Object.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodGetHashCodeServes as a hash function for a particular type. (Inherited from Object.)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Public methodInitializeInitializes the provider. (Inherited from ProviderBase.)
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)

You can encrypt sections of a configuration file to protect sensitive information used by your application. This improves security by making it difficult for unauthorized access even if an attacker gains access to your configuration file.

The .NET Framework includes two protected configuration providers that can be used to encrypt sections of a configuration file. The RsaProtectedConfigurationProvider class uses the RSACryptoServiceProvider to encrypt configuration sections. The DpapiProtectedConfigurationProvider class uses the Windows Data Protection API (DPAPI) to encrypt configuration sections.

You might have a requirement to encrypt sensitive information using an algorithm other than the RSA or DPAPI providers. In this case, you can build your own custom protected-configuration provider. The ProtectedConfigurationProvider is an abstract base class that you must inherit from to create your own protected-configuration provider.

Whether you use a standard or a custom provider, you must ensure that it is configured with the add element in the providers section of the configProtectedData configuration section. (See next example.)

For details, see Implementing a Protected Configuration Provider.


When ASP.NET encounters encrypted configuration data, it performs decryption transparently using the configured provider. No action is required on your side other than making sure that you configure the required provider.

Implementing a Protected Configuration ProviderBuilding ASP .NET Web Applications
Implementing a Protected Configuration ProviderBuilding ASP .NET Web Applications

The following example shows how to implement a custom ProtectedConfigurationProvider.

To be able to configure this provider, as shown in the next configuration excerpt, you must install it in the Global Assembly Cache (GAC). Refer to Implementing a Protected Configuration Provider for more information.

No code example is currently available or this language may not be supported.

The following example shows how to use the previous custom ProtectedConfigurationProvider.

No code example is currently available or this language may not be supported.

The following is an excerpt of the configuration file used by the above examples.

<?xml version="1.0" encoding="utf-8" ?>

  <configProtectedData >
      <clear />
      <add keyContainerName="pcKey.txt" 
type="Samples.Aspnet.TripleDESProtectedConfigurationProvider, protectedconfigurationproviderlib, Version=, Culture=neutral, PublicKeyToken=79e01ae0f5cfc66f, processorArchitecture=MSIL" />

  </configProtectedData >

    <add name="NorthwindConnectionString" 
      connectionString="Data Source=webnetue2;Initial Catalog=Northwind;User ID=aspnet_test;Password=test"
providerName="System.Data.SqlClient" />


.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.