You can use the ASP.NET IIS Registration Tool (Aspnet_regiis.exe) to encrypt or decrypt sections of a Web configuration file. ASP.NET will automatically decrypt encrypted configuration elements when the Web.config file is processed.
The Aspnet_regiis.exe tool is located in the %windows%\Microsoft.NET\Framework\versionNumber folder.
You can also use the protected configuration classes in the
Encrypting a Web Configuration Section
To encrypt configuration file contents, use the Aspnet_regiis.exe tool with the вЂ“pe option and the name of the configuration element to be encrypted.
Use the вЂ“app option to identify the application for which the Web.config file will be encrypted and the -site option to identify which Web site the application is a part of. The Web site is identified using the site number from the Internet Information Services (IIS) metabase. You can retrieve the site number from the INSTANCE_META_PATH server variable in the
Use the вЂ“prov option to identify the name of the
defaultProvider is used.
If you are using an
The following command encrypts the connectionStrings element in the Web.config file for the application
SampleApplication. Because no -site option is included, the application is assumed to be from Web site 1 (most commonly Default Web Site in IIS). The encryption is performed using the RsaProtectedConfigurationProvider specified in the machine configuration.
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"
When a page or other ASP.NET resource in the application is requested, ASP.NET calls the provider for the protected configuration section to decrypt the information for use by ASP.NET and your application code.
To decrypt and encrypt a section of the Web.config file, the ASP.NET process must have permission to read the appropriate encryption key information. For more information, see Importing and Exporting Protected Configuration RSA Key Containers.
Decrypting a Web Configuration Section
To decrypt encrypted configuration file contents, you use the Aspnet_regiis.exe tool with the -pd switch and the name of the configuration element to be decrypted. Use the вЂ“app and -site switches to identify the application for which the Web.config file will be decrypted. You do not need to specify the вЂ“prov switch to identify the name of the ProtectedConfigurationProvider, because that information is read from the configProtectionProvider attribute of the protected configuration section.
The following command decrypts the connectionStrings element in the Web.config file for the ASP.NET application
aspnet_regiis -pd "connectionStrings" -app "/SampleApplication"