How does IIS Config File Encryption work?

https://stackoverflow.com/questions/18852737

28-06-2022
|

Question

I'm trying to understand how the aspnet_regiis.exe tool "encrypts" Web.config files.

Here is the documentation for how to use the tool:

Encryption:

http://msdn.microsoft.com/en-us/library/bb986855.aspx
Decryption:

http://msdn.microsoft.com/en-us/library/bb986792.aspx

I'm looking for answers to questions this documentation does not address:

Does this only work for Web.config files?
What exactly is encrypted? The whole config file?
Does IIS automatically know how to decrypt encrypted config files?
What encryption algorithms are used?
Are there any encryption keys (and/or passwords)? Where are they?
Can I encrypt on one machine and decrypt on another? (Or does it rely on a secret key somewhere on the server?)

Solution

Does this only work for Web.config files?

I think so, but a simple test will give you a sure answer. (update: the tool asssumes there is web.config file. If you need to encrypt another file like app.config, just rename it to web.config).

What exactly is encrypted? The whole config file?

You can specify sections that will be encrypted (see this link).

Does IIS automatically know how to decrypt encrypted config files?

Yes (same link)

What encryption algorithms are used?

You can choose a provider of your choice (same link)

Are there any encryption keys (and/or passwords)? Where are they?

Yes there are if you use the RsaProtectedConfigurationProvider, see this link for more info.

Can I encrypt on one machine and decrypt on another? (Or does it rely on a secret key somewhere on the server?)

Yes, using RsaProtectedConfigurationProvider it is possible.

For more general information on Protected Configuration, please refer to this guide on MSDN.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow