Encrypting Property Keys

The base Provider implementation provides for encryption of configuration values. Encryption is configured on the provider setup by specifying a list of field names and an encryption key as a string.

public OnCreateDefaultProvider(string section, object configData)
{
   var provider = new ConfigationFileConfigurationProvider<ApplicationConfiguration>()
   {  **
        PropertiesToEncrypt = "MailServerPassword,ConnectionString",
        EncryptionKey = "secret",**           
        ConfigurationSection = "ApplicationConfiguration"                    
    };

    return provider;
}

This encrypts only the specified fields so most of the configuration settings remain perfectly editable in a configuration file for example while the encrypted values have to be changed from within the application (typically through an admin interface - for an example look at the AppConfiguration.aspx page in the sample project).

Encryption uses TripleDes encryption so the actual encryption values are robust, however you are providing a string value as the key so the main security feature is the key. It's up to you to figure out how to create or store the key for maximum security.

For most casual security scenarios simple string values inside of the compiled code should suffice, however to prevent casual snatching of passwords and the like on a physical machine you might need to use binary values or obsfucated text from various sources to avoid embedding the password text into the binaries.

Web Applications can use the MachineKey to get a Seed Value

In Web applications a good choice is the MachineKey class which gives you a machine specific value. You can set the encryption key like this:

this.Provider.EncryptionKey = MachineKey.Encode(new byte[] { 3, 233, 8, 11, 32, 44 }, 
                                         MachineKeyProtection.Encryption);

There's still a hard coded value (the byte array), but it's encoded with the machine key which makes it significantly more difficult for somebody not on that machine to hack the seed, much less the encrypted value.

Note that machine key encryption only works on the same machine, so if your configuration settings are used on multiple machines this won't easily work unless you sync machine keys.


© West Wind Technologies, 1996-2016 • Updated: 12/19/15
Comment or report problem with topic