How do I select/enforce AES encryption with aspnet_regiis to encrypt web.config values?

Question

I need to encrypt part of our web.config for our ASP.Net 4.0 project, but we are required to use AES and the default appears to be Triple DES. How can I tell it to use AES encryption instead?

In the command prompt I do the following commands:

aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp
aspnet_regiis -pe "connectionStrings" -app "/<myapp>"

I figure I set the encryption method to AES by selecting the appropriate CSP (-csp) but I haven't been able to find or figure out the name of the right one.

And one of the lines in the encrypted web.config is:

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

Answer 1

The provider is selected using the -prov parameter to aspnet_regiis. The providers are registered in the web/machine.config using the configProtectedData section. In order to register AES you would use something like this:

<configProtectedData>
    <providers>
        <add name="AesProvider"
            type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider"
            description="Uses an AES session key to encrypt and decrypt"
            keyContainerName="iisConfigurationKey" cspProviderName=""
            useOAEP="false" useMachineContainer="true"
            sessionKey="aSessionKeyGoesHere" />
    </providers>
</configProtectedData>

On my machine RSA and DPAPI are the preconfigured algorithms in machine.config.

Provided that the AES provider is registered you should be able to encrypt a config section using:

aspnet_regiis -pe "connectionStrings" -app "/<myapp>" -prov "AesProvider"