Thank you Peter Vogel

Encrypting Sections
This is the code that I use to encrypt a specific section of the Web.config file. I first select a section using the Configuration object’s Sections collection. In this case, I’m selecting the connectionStrings section:

Dim configFile As System.Configuration.Configuration
Dim configSection As ConfigurationSection

configFile = System.Web.Configuration.WebConfigurationManager. _
OpenWebConfiguration(Request.ApplicationPath)
configSection = configFile.Sections("connectionStrings")

This code assumes that it’s running from a page on the site so I can use the ApplicationPath property on the Request object to get the physical path to the web.config’s folder. If you wanted to create a utility, you’d need to hard code the path you pass to the OpenWebConfiguration method.

Now that I have the section, I encrypt it, specifying the encryption scheme that I want to use. The last step is to save the encrypted version back to the config file:

configSection.SectionInformation. _
ProtectSection("RsaProtectedConfigurationProvider")
configFile.Save()

The result looks like this in the Web.config file:

<connectionStrings
configProtectionProvider=”DataProtectionConfigurationProvider”>
<EncryptedData>
<CipherData>
<CipherValue>…encrypted data… </CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>

The good news is that when you use the ConfigurationManager’s ConnectionString collection to retrieve an encrypted connection string, the connection string is automatically decrypted for you. This code works whether the connectionStrings section is encrypted or not:

Dim cnStr As String
cnStr = System.Web.Configuration.WebConfigurationManager. _
ConnectionStrings("Northwind").ConnectionString

Since the strings are encrypted using the private key for the Web server, even if the file is stolen from the site, it can’t be decrypted on any machine except the Web server. This also means that you can’t encrypt the connection string until the application has been moved to the production server: If you encrypt the connection string on the test server and then move your site to the production server, ASP.NET won’t be able to decrypt the string using the production server’s private key.

On occasion, you’ll need to decrypt the web.config section just to check what’s actually in the file. This code takes care of that job:

Dim configFile As System.Configuration.Configuration
Dim configSection As ConfigurationSection

configFile = System.Web.Configuration.WebConfigurationManager. _
OpenWebConfiguration(Request.ApplicationPath)
configSection = configFile.Sections("connectionStrings")
configSection.SectionInformation.UnProtectSection()
configFile.Save()

Command Line Encryption
If you’d prefer not to use code, you encrypt (or decrypt) sections of your web.config file using the aspnet_regiis utility. You must pass the utility the -pe parameter to specify the section to encrypt along with the path name to the config file’s folder, and you must also pass the -prov parameter to specify the encryption scheme:

aspnet_regiis.exe -pef section physical_directory -prov provider

This example encrypts the configurationStrings section for a config file in the c:\NorthwindCRM folder:

aspnet_regiis.exe -pef configurationStrings c:\NorthwindCRM
-prov "RsaProtectedConfigurationProvider"

You can also use aspnet_regiis utility to decrypt the section using the -pdf parameter instead of -pef.

Or you could just make sure that no one can steal text files from your Web server.

NOTE:

When you change the configuration file while running, all Sessions would be reset… and data would be lose well..