Encrypt and Decrypt Web.config ConnectionString Using aspnet_regiis
Table of Contents
Introduction
This post explains how to use aspnet_regiis.exe to encrypt and decrypt the connectionString section in your Web.config file, and how to share encrypted connection strings across environments or web farms.
Encrypt connectionString
The following task is only for the initial check-in of the encrypted connectionString. Once you have checked in the encrypted connectionString, you do not need to do the following again.
What the following command does is use aspnet_regiis.exe to encrypt the connectionStrings section from Web.config using a custom provider.
C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe -pef connectionStrings C:Projects2013\LDWebsite\Source\Development\DEV3\Website -prov "customProvider"
C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe -pef connectionStrings {location where contains Web.config} -prov "customProvider"
Decrypt connectionString
Copy the encrypted connectionString to the Web.config's connectionString section and run the following task. Then it will decrypt the connectionString. The following example checks the C drive's website folder's Web.config.
C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe -pdf connectionStrings C:\Website -prov "customProvider"
Share Encrypted connectionString to Other Environments or Web Farms
First, you need to export the container key as XML by running the following command:
C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe -px "YourRSAKeyName" "c:\xmlKey.xml"
At the other environment, just try to run the following commands:
set "keyPath=%cd%\xmlKey.xml"
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
aspnet_regiis -pi "myKey" "%keyPath%"
aspnet_regiis -pa "myKey" "NT AUTHORITY\NETWORK"
pause
:: This task is for adding the RSA key to each machine so that the encrypted connectionString can be used in any environment: local, dev, QA, or web farm.
:: The Web.config's connectionString is already encrypted. If you don't run this task, the application would not be able to use the encrypted connectionString.
:: Following are the prerequisites for running this task:
:: 1. Target machine has .NET 4.0
:: 2. Under C:\Windows\Microsoft.NET\Framework\v4.0.30319, aspnet_regiis exists
:: 3. Website's application pool identity is running under NetworkService
:: If the above 1-3 are valid, you're ready to run this command line.
:: The first task registers the RSA Key Container on the machine.
:: The second task grants NetworkService permission to the RSA Key Container.
:: After running these two tasks, if you see 'Succeeded!', then you're good!
:: For how to use aspnet_regiis.exe to encrypt Web.config, see above.
Complicated!!
I know, we could just use the same service account for the application pool and use that account to connect to the database, so we could remove the user and password from the connection string.
Conclusion
Using aspnet_regiis.exe is a reliable way to encrypt and decrypt connection strings in your Web.config. While the process involves multiple steps—especially when sharing keys across environments or web farms—it ensures sensitive database credentials are not stored in plain text. Alternatively, using a shared service account for the application pool can simplify things by removing credentials from the connection string entirely.