Encrypt configuration sections that contain sensitive data
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Encrypt configuration sections that contain sensitive data such as SQL connection strings. The sections that usually contain sensitive information include <appSettings>, <connectionStrings>, <identity>, and <sessionState>. Use DPAPI
to encrypt the sensitive data in the configuration file on your WCF server machine.
To encrypt the <connectionStrings> section by using the DPAPI provider with the machine-key store (the default configuration), run the following command from a command window:
aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"
- -pe: Specifies the configuration section to encrypt.
- -app: Specifies your Web application's virtual path. If your application is nested, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".
- -prov: Specifies the provider name.
If you need to encrypt configuration file data on multiple servers in a Web farm, use the RSA protected configuration provider because of the ease with which you can export RSA key containers.