Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jan 9, 2013

How to encrypt a custom configuration section in ASP.NET

Recently I wrote a piece of software that needed some configurable secrets — and they needed to be VERY secret. Consequently, I had to encrypt a custom configuration section. Unfortunately, I quickly ran into trouble and got an error message along the lines of:

Encrypting configuration section...
An error occurred creating the configuration section handler for myConfigSection: Could not load file or assembly 'MyAssembly, Version=2.0.0.0, Culture=neutral' or one of its dependencies. The system cannot find the file specified.
...
Failed!

Disheartening, eh? I looked to the Internet and the advice seemed to be to copy the "missing" assembly to the .NET framework folder. I strongly suggest you don't do that, messing around in the framework's folder is not recommended. That folder belongs to Microsoft.

Fortunately I found a much easier workaround. I'll give an example where I encrypt the configuration section for the NWebsec security library, in the DemoSiteWebForms project that's part of the project's solution.


The screenshot shows the error you get when trying to encrypt the nwebsec/httpHeaderSecurityModule section.

The dreaded configuration section encryption error.

Now for the workaround. The configuration section is declared at the very top of the config file. Simply comment out the section declaration and you're good to go.

<configSections>
  <sectionGroup name="nwebsec">
    <!-- For information on how to configure NWebsec please visit: http://nwebsec.codeplex.com/wikipage?title=Configuration -->
    <!-- section name="httpHeaderSecurityModule" type="NWebsec.Modules.Configuration.HttpHeaderSecurityConfigurationSection, NWebsec, Version=2.0.0.0, Culture=neutral"/ -->
  </sectionGroup>
</configSections>


Success! Remember to uncomment the section declaration afterwards and your web.config should be all set.

You'll also need to comment out the configuration section declaration if you want to decrypt the configuration section.

You can have a look at Encrypting Configuration Information Using Protected Configuration to learn more about how configuration encryption works. It's well documented, except for this quirk.
Posted by at
Labels: , , ,

28 comments:

  1. Very clever and Ninjalike

    ReplyDelete

  2. Great finding. I followed your method and received a successful message from the encryption process but nothing has changed to my custom config content at all. Any suggestion would be much appreciated.

    ReplyDelete
    Replies

    1. Did you re-open the file after the configuration section was encrypted? There should be changes to the file when it reports success.

      Delete

  3. thank you Very much for your Solution.

    ReplyDelete

  4. This is great but if someone has got as far as your web.config then they probably have access to the machine key that you used for encryption.

    This means that they will then be able to decrypt it again. I would say this is VERY secret.

    ReplyDelete
    Replies

    1. Yes, if someone gets access to the production server you might be in trouble, but that depends on their level of access. The key container has its own ACL, and they would need to get hold of both the web.config and the key container file before the damage is done. With write access to the web.config on the production server they could also take a different approach by simply swapping the encrypted configuration with their own unencrypted one. This would be devastating if they did it for e.g. the machineKey settings. The moral of the story: don't let people access production servers unless you trust them. :)

      One of the primary advantages of encrypting the configuration section is that you can have the (encrypted) web.config in source control, nobody would be able to read the encrypted section unless they also had access to the key container - which should only exist on the production server and on some offline media stored in a safe/vault.

      Delete

  5. I am still getting same error

    ReplyDelete
    Replies

    1. You should check which assembly is mentioned in the error message, and comment out the configuration section declaration that refers to that assembly.

      Delete

    2. Thanks its working fine

      Delete

  6. Worked perfectly, thank you! :)

    ReplyDelete

  7. I was searching for an acceptable solution forever. This one did the trick! Thanks!

    ReplyDelete

  8. I wrote my own tool to perform configuration encryption and decryption to get-around this
    ridiculous problem.

    the problem is overcome in two ways, firstly if the assembly cannot be loaded it will automatically search for it recursively in bin directories below the config file. If this fails then It has a parameter that allows you to specify an assembly load hint path where it will look for assemblies that are required. If anyone wants a copy leave a comment. I will look to get this open sourced ASAP as I believe it will be useful.

    Carl

    ReplyDelete
    Replies

    1. Feel free to drop a link here if you open source it!

      Delete

  9. this worked. Thanks

    ReplyDelete

  10. Great tip! Thank you

    ReplyDelete

  11. worked thanks!

    ReplyDelete

  13. I've done this and have my custom section encrypting properly. However, when we run the web application, we get "Unrecognized attribute 'configProtectionProvider'" Have you encountered this?

    ReplyDelete

  16. I encourage you to familiarize with this information on how to tell if your phone is tapped.

    ReplyDelete

  19. Thank you Very much for your Solution.
    Gclub Slot Gclub ruby888

    ReplyDelete

Subscribe to: Post Comments (Atom)

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts