How to encrypt one entry in web.config
You could put the password into a separate section and encrypt this section only. For example:
<?xml version="1.0" encoding="utf-8" ?><configuration> <configSections> <section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /> </configSections> <appSettings> <add key="Host" value="www.foo.com" /> <add key="Token" value="qwerqwre" /> <add key="AccountId" value="123" /> <add key="DepartmentId" value="456" /> <add key="SessionEmail" value="foo@foo.com" /> <add key="DefaultFolder" value="789" /> </appSettings> <secureAppSettings> <add key="Password" value="asdfasdf" /> </secureAppSettings> </configuration>
and then (note that I am using DPAPI in my example so adapt the provider for RSA):
aspnet_regiis -pef secureAppSettings . -prov DataProtectionConfigurationProvider
Once encrypted the file will look like this:
<?xml version="1.0" encoding="utf-8" ?><configuration> <configSections> <section name="secureAppSettings" type="System.Configuration.NameValueSectionHandler, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /> </configSections> <appSettings> <add key="Host" value="www.foo.com" /> <add key="Token" value="qwerqwre" /> <add key="AccountId" value="123" /> <add key="DepartmentId" value="456" /> <add key="SessionEmail" value="foo@foo.com" /> <add key="DefaultFolder" value="789" /> </appSettings> <secureAppSettings configProtectionProvider="DataProtectionConfigurationProvider"> <EncryptedData> <CipherData> <CipherValue>AQAAANCMnd.......</CipherValue> </CipherData> </EncryptedData> </secureAppSettings> </configuration>
The way you would access those settings in your application once the file is encrypted is still the same and completely transparent:
var host = ConfigurationManager.AppSettings["Host"];var password = ConfigurationManager.AppSettings["Password"];
In c# and .Net 4.5 I had to use this to read the encrypted setting:
string password = ((System.Collections.Specialized.NameValueCollection)ConfigurationManager.GetSection("secureAppSettings"))["Password"];
but otherwise works a treat.
You can't encrypt a single entry - the infrastructure only allows for encryption of whole config sections.
One option is to place the entry in its own config section and encrypt that.