Encrypting WebConfig

Question

I have a web application, which I publish to three web servers using the 'publish' option.

I want to encrypt the connectionstrings section of the web config file. The command below will do it:

c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" c:\inetpub\application

However, I have to RDP (Remote Desktop) to each server and run the command on each server as you cannot run it like this (from a client PC):

\servername\c$\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" \servername\c$\inetpub\application

Is there a better way of doing this: perhaps:

1) Execute a command line on the server after publishing 2) Use a build option in Visual Studio that allows you to execute a batch file after publishing is complete

Answer 1

Encrypt the connectionStrings section of your web.config on your server and then add this encrypted section to your web.[CONFIGURATION_FOR_SERVER].config transformation file. The key being the first line which says to replace the connectionStrings portion of your original web.config with this new encrypted value. You'll need a new transformation file for each server that you are publishing to. Visual Studio will raise a warning (not error) i.e.

Warning 15  The element 'connectionStrings' has invalid child element 'EncryptedData' in namespace 'http://www.w3.org/2001/04/xmlenc#'. List of possible elements expected: 'add, remove, clear'.   C:\DevTFS\YourProject\Web.Stage.config  14  6   YourProject

about the format of this transformation file - I haven't found the correct syntax to get around this so I'm open to suggestions, but it still works so I'm happy. Full blog entry on this: http://randomdotnetnuggets.blogspot.com.au/2013/05/publishing-encrypted-connection-strings.html

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider" xdt:Transform="Replace">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
  xmlns="http://www.w3.org/2001/04/xmlenc#">
  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <KeyName>Rsa Key</KeyName>
      </KeyInfo>
      <CipherData>          
         <CipherValue>t8p7aOZTjMo...zE6FAAI=</CipherValue>
      </CipherData>
    </EncryptedKey>
  </KeyInfo>
  <CipherData>
    <CipherValue>Vy1TZWY8....ic+Qg6T7U</CipherValue>
  </CipherData>
</EncryptedData>

Answer 2

If Integrated Security is not an option, I suggest you MS Web Deploy.

When you build a deployment package with Visual Studio 2012, you'll get a zip file and command line script files. You can modify that script file to encrypt your web.config or roll your own batch script or powershell script.