Monday, January 16, 2006

Wicked Code 2.0 -- (feature 2/5)

Feature 2:
Encrypted Configuration Sections

Developers are concerned about how to securely store sensitive information in config files like web.config without spending too much time/effort?

Did you know that you can encrypt sections of Web.config to prevent connection strings and other potentially injurious data from being stored in plaintext?

ASP.NET also offers you a choice of two encryption modes. One uses triple-DES encryption with a randomly generated key protected by RSA; the other encryption mode uses triple-DES encryption as implemented by the Windows® Data Protection API (DPAPI). You can add support for other encryption techniques by plugging in new data protection providers.

One call to ConfigurationSection.ProtectSection is sufficient to encrypt a configuration section; a subsequent call to ConfigurationSection.UnProtectSection decrypts it. Following a successful call to either method, you call Configuration.Update to write changes to disk.

No comments: