Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why encrypt a web config file?

As far as I can tell, any section in a web.config file can be encrypted & decrypted using aspnet_regiis.exe.

If aspnet_regiis can be used to decrypt the web.config file, then what's the point of encrypting it? Is it just to keep passwords & sensitive information from being stored as plain text? If anyone with the file and the exe can decrypt it, does it really protect sensitive config info?

UPDATE

Thanks to everyone who answered regarding the machine key. The reason I asked this question is because we have an open source project hosted at codeplex.com. However, we also deploy this project to Windows Azure. I am trying to find a best approach to keep the sensitive passwords out of source control, but keep them accessible as part of my project for when I deploy to Azure.

Currently, I am using web config transforms to store the Azure connection strings (as well as Gmail passwords for system.net). I've created a Web.PublishToAzure.config transform file, and just kept that file out of source control. I also found this article which may be a better option. Thanks again.

like image 843
danludwig Avatar asked May 11 '11 15:05

danludwig


People also ask

Can you encrypt Web config?

Encrypting a Web Configuration Section To encrypt configuration file contents, use the Aspnet_regiis.exe tool with the –pe option and the name of the configuration element to be encrypted. Use the –app option to identify the application for which the Web.

Is Web config file secure?

Web. config files are protected by IIS, so clients cannot access it. If you try to retrieve an existing http://mydomain.com/Web.config file, you'll be notified with an “Access denied” error message.

What is the importance of Web config file?

A configuration file (web. config) is used to manage various settings that define a website. The settings are stored in XML files that are separate from your application code. In this way you can configure settings independently from your code.

How do I protect my config file?

To secure passwords for configuration parameters, you can use an encrypted password file, separate from the configuration files. The pr0pass program maintains the password file, encrypting passwords for parameters in the configuration files.


1 Answers

In history, there were exploits in browsers or web server software that allowed users to view any file on the server's hard drive. In a case such as this, the encrypted web.config file could be of some use. However if a web server has been compromised allowing remote access to the server itself, then having an encrypted web.config file will be the least of your worries.

like image 80
CheckRaise Avatar answered Sep 21 '22 16:09

CheckRaise