Implementing a Protected Configuration Provider
Protected configuration enables you to encrypt sections of an ASP.NET application's Web.config file in order to protect sensitive information used by the application. This can improve the security of your application by making it difficult for an attacker to gain access to the sensitive information even if an attacker gains access to your Web.config file. ASP.NET includes two protected configuration providers that can be used to encrypt sections of a Web.config file: RsaProtectedConfigurationProvider, which uses the RSACryptoServiceProvider to encrypt configuration sections, and DpapiProtectedConfigurationProvider, which uses the Windows Data Protection API (DPAPI) to encrypt configuration sections.
In some cases, you might need to encrypt information using an algorithm other than those available with the RSA or DPAPI providers. In that case, you can build a custom protected configuration provider to be used by ASP.NET.
To implement a protected configuration provider, you create a class that inherits the ProtectedConfigurationProvider abstract class from the System.Configuration namespace. The ProtectedConfigurationProvider abstract class inherits the ProviderBase abstract class from the System.Configuration.Provider namespace, so you must implement the required members of the ProviderBase class as well. The following tables list the properties and methods that you must implement from the ProviderBase and ProtectedConfigurationProvider abstract classes. To see an implementation of each member, see How to: Build and Run the Protected Configuration Provider Example.
Required ProviderBase Members
Required ProtectedConfigurationProvider Members
Performs the encryption. Takes as input an XmlNode object containing the configuration section to be encrypted. For example, if the configuration section to be encrypted is the connectionStrings section, the XmlNode object represents XML data similar to the following example.
<EncryptedData> <!-- encrypted contents --> </EncryptedData>
The format of the contents of the EncryptedData element is determined by your implementation. When the element is decrypted, ASP.NET will pass an XmlNode object to the Decrypt method, where the EncryptedData element is the root element.
Performs the decryption. Takes as input an XmlNode object containing the EncryptedData element of an encrypted configuration section. For example, if the connectionStrings section is the configuration section that was encrypted, the XmlNode object represents XML data similar to highlighted XML in the following example.
<connectionStrings configProtectionProvider="CustomProvider"> <EncryptedData> <!-- encrypted contents --> </EncryptedData> </connectionStrings>
The Decrypt method decrypts the contents of the XmlNode object and returns an XmlNode object that represents the decrypted contents of the EncryptedData XmlNode object. For example, if the connectionStrings section was encrypted, the Decrypt method returns an XmlNode object with XML data similar to the following example.
For an example custom protected configuration provider that uses the TripleDESCryptoServiceProvider class to encrypt and decrypt sections of a Web.config file, see How to: Build and Run the Protected Configuration Provider Example.