[Solved] How to Encrypt Connection Strings and MailSettings in ASP.NET Web.Config

Encrypt Your Web Application: It works Everywhere, No Admin Access Needed!

This method is versatile, allowing you to utilize it both on your local system and in web server environments where you might not have direct access to the command prompt with Administrator privileges. This is a common scenario for most website owners who host their sites with third-party hosting providers.

Introduction

In modern web applications, sensitive information like database connection strings and email settings are often stored in the web.config file. However, it's essential to protect this sensitive data from prying eyes and potential security breaches. In this article, we'll explore how to encrypt connection strings and MailSettings in the ASP.NET web.config file to enhance the security of your application.

Why Encrypting Connection Strings and Mail Settings Matters

By default, connection strings and MailSettings are stored as plain text in the web.config file. This exposes sensitive information, making it vulnerable to unauthorized access. Encrypting this data adds an extra layer of security, ensuring that even if an attacker gains access to the web.config file, they won't be able to extract the actual sensitive information.

In this article, we'll focus on two methods provided in the Security.cs class:

Use the following directives in Security.cs class

using System;
using System.Configuration;
using System.Web.Configuration;
1. EncryptConnString(): This method encrypts the connectionStrings section in the web.config file.

 // To encrypt connectionStrings - the method is called from Global.aspx
    public static void EncryptConnString()
    {
        Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
        ConfigurationSection section = config.GetSection("connectionStrings");

        if (!section.SectionInformation.IsProtected)
        {
            section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
            config.Save();
        }
    }
2. EncryptMailSettings():: This method encrypts the MailSettings section in the web.config file.

 // To encrypt MailSettings - the method is called from Global.aspx
    public static void EncryptMailSettings()
    {
        Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
        ConfigurationSection section = config.GetSection("system.net/mailSettings/smtp");

        if (!section.SectionInformation.IsProtected)
        {
            section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
            config.Save();
            // Console.WriteLine("MailSettings section encrypted successfully.");
        }
        else
        {
            // Console.WriteLine("MailSettings section is already encrypted.");
        }
    }    

Global.aspx
The methods are then called from the Application_Start event in the Global.aspx file, ensuring they run during application startup.


    void Application_Start(object sender, EventArgs e)
    {
        Security.EncryptConnString();
        Security.EncryptMailSettings();
    }

When you restart the application, your web.config file will change automatically, and the plain text of ConnectionString and MailSettings will be converted to encrypted strings.
connectionStrings in web.config connectionstrings
mailSettings in web.config mailsettings

It is highly recommended to take a backup of your web.config file before executing this code so that you can revert the changes if required.

If you encounter the error "ConfigProtectionProvider is not allowed," please visit How to resolve 'ConfigProtectionProvider is not allowed' error? article for a solution


Rate Your Experience

: 90 : 0

Online Tests
Read more

Oracle Database
Read more

MSSQL Database
Read more

PostGres Database
Read more

Linux
Read more

ASP/C#
Read more

Navigation Panel