You frequently need to store important information in your application's configuration files, such as connection strings, user IDs or paths to files. Therefore, it would be a good idea to secure these files — or at least the sections needing security — to prevent unauthorized access. With Visual Studio 2005 and above, you can encrypt the contents of your configuration file — either from the command-line or your own code — and the resulting configuration file works normally.
Encrypting from the command-line
aspnet_regiis -pe "appSettings"
-app "/MachineDPAPI"
-prov "DataProtectionConfigurationProvider"
Encrypting a configuration section in code (C#)
Configuration config =
WebConfigurationManager.OpenWebConfiguration("/");
ConfigurationSection sect = config.GetSection("appSettings");
if (!sect.SectionInformation.IsProtected) {
sect.SectionInformation
.ProtectSection("RsaProtectedConfigurationProvider");
config.Save();
}
Using the encrypted configuration
String secretValue =
ConfigurationManager.AppSettings["secretStuff"];
this.CurrentValueField.Text = secretValue;
Encrypting your configuration file will protect you against unauthorized access if a bad employee or hacker reads the file, but it won't protect you if you forget the password used to encrypt it. Remember to store a "clean" version of the configuration file somewhere safe.