How does IIS Config File Encryption work?

Question

I'm trying to understand how the aspnet_regiis.exe tool "encrypts" Web.config files.

Here is the documentation for how to use the tool:

• Encryption:

  http://msdn.microsoft.com/en-us/library/bb986855.aspx

• Decryption:

  http://msdn.microsoft.com/en-us/library/bb986792.aspx

I'm looking for answers to questions this documentation does not address:

• Does this only work for Web.config files?

• What exactly is encrypted? The whole config file?

• Does IIS automatically know how to decrypt encrypted config files?

• What encryption algorithms are used?

• Are there any encryption keys (and/or passwords)? Where are they?

• Can I encrypt on one machine and decrypt on another? (Or does it rely on a secret key somewhere on the server?)

Answer 1

• Does this only work for Web.config files?

I think so, but a simple test will give you a sure answer. (update: the tool asssumes there is web.config file. If you need to encrypt another file like app.config, just rename it to web.config).

• What exactly is encrypted? The whole config file?

You can specify sections that will be encrypted (see this link).

• Does IIS automatically know how to decrypt encrypted config files?

Yes (same link)

• What encryption algorithms are used?

You can choose a provider of your choice (same link)

• Are there any encryption keys (and/or passwords)? Where are they?

Yes there are if you use the RsaProtectedConfigurationProvider, see this link for more info.

• Can I encrypt on one machine and decrypt on another? (Or does it rely on a secret key somewhere on the server?)

Yes, using RsaProtectedConfigurationProvider it is possible.

For more general information on Protected Configuration, please refer to this guide on MSDN.