Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why encrypt a web config file?

Tags:

passwords

asp.net

encryption

web-config

As far as I can tell, any section in a web.config file can be encrypted & decrypted using aspnet_regiis.exe.

If aspnet_regiis can be used to decrypt the web.config file, then what's the point of encrypting it? Is it just to keep passwords & sensitive information from being stored as plain text? If anyone with the file and the exe can decrypt it, does it really protect sensitive config info?

UPDATE

Thanks to everyone who answered regarding the machine key. The reason I asked this question is because we have an open source project hosted at codeplex.com. However, we also deploy this project to Windows Azure. I am trying to find a best approach to keep the sensitive passwords out of source control, but keep them accessible as part of my project for when I deploy to Azure.

Currently, I am using web config transforms to store the Azure connection strings (as well as Gmail passwords for system.net). I've created a Web.PublishToAzure.config transform file, and just kept that file out of source control. I also found this article which may be a better option. Thanks again.

like image 843
danludwig Avatar asked May 11 '11 15:05

danludwig

People also ask

Can you encrypt Web config?

Encrypting a Web Configuration Section To encrypt configuration file contents, use the Aspnet_regiis.exe tool with the –pe option and the name of the configuration element to be encrypted. Use the –app option to identify the application for which the Web.

Is Web config file secure?

Web. config files are protected by IIS, so clients cannot access it. If you try to retrieve an existing http://mydomain.com/Web.config file, you'll be notified with an “Access denied” error message.

What is the importance of Web config file?

A configuration file (web. config) is used to manage various settings that define a website. The settings are stored in XML files that are separate from your application code. In this way you can configure settings independently from your code.

How do I protect my config file?

To secure passwords for configuration parameters, you can use an encrypted password file, separate from the configuration files. The pr0pass program maintains the password file, encrypting passwords for parameters in the configuration files.

1 Answers

In history, there were exploits in browsers or web server software that allowed users to view any file on the server's hard drive. In a case such as this, the encrypted web.config file could be of some use. However if a web server has been compromised allowing remote access to the server itself, then having an encrypted web.config file will be the least of your worries.

like image 80
CheckRaise Avatar answered Sep 21 '22 16:09

CheckRaise
Sign in to Comment

Related questions

Can I fool HttpRequest.Current.Request.IsLocal?
disabling default button or enter key in asp.net c#
FormsAuthentication.RedirectFromLoginPage to a custom page
How to simulate HTTP POST programmatically in ASP.NET?
Can gzip compression be selectively disabled in ASP.NET/IIS 7?
Message Queue Exception : Queue does not exist or you do not have sufficient permissions to perform the operation
ASP.NET -- IIS7 -- IBM DB2 Issue
Why not always use HTTP post for ajax calls?
Do something javascript before asp.net anypostback
Is an ASP.net MVC View a "class"?
Dropdown list selected value not working
Get value of GridView Cell in RowCommand
How to add a Custom EndPointBehavior to the web.config of the service?
How do I disable object reference creation in the Newtonsoft JSON serializer?
Can't add config transforms
What is the JavaScript equivalent of C# Server.URLEncode?
Maintain scroll position of a div within a page on postback
C# DateTime ToString("MM-dd-yyyy") returns funny day values
Changing a value in the machine.config
How can you force the browser to download an xml file?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!