Home/ Questions/Q 677947
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T01:05:42+00:00

In my applications web.config file I have a connection string stored. I encrypted it

  • 0

In my applications web.config file I have a connection string stored.
I encrypted it using 

  '---open the web.config file
    Dim config As Configuration = _
       ConfigurationManager.OpenWebConfiguration( _
       Request.ApplicationPath)
    '---indicate the section to protect
    Dim section As ConfigurationSection = _
       config.Sections("connectionStrings")
    '---specify the protection provider
    section.SectionInformation.ProtectSection(protectionProvider)
    '---Apply the protection and update
    config.Save()

Now I can decrypt it using the code 

   Dim config As Configuration = _
       ConfigurationManager.OpenWebConfiguration( _
       Request.ApplicationPath)
    Dim section As ConfigurationSection = _
       config.Sections("connectionStrings")
    section.SectionInformation.UnProtectSection()
    config.Save()

I want to know where is the key stored, and also if somehow my web.config file is stolen, will it be possible for him/her to decrypt it using the code above.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The user keys are stored in:

    [Letter]:\Documents and Settings\[User]\Application Data\Microsoft\Crypto\RSA

    Machine keys are in:

    [Letter]:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

    If someone has the file and the keys then yes, they’ll be able to decrypt. If only the file, no they won’t be able to.

    Also, if they decrypt using the same code on the same server, then yes. However, if they reach your server, it’s all over anyways.

    EDIT to add into the answer from comments:

    • Q: If I copy the key and paste it in some other PC along with the web.config, will it be decrypted?

    • A: If i’m not mistaken, the key will only work on that machine unless you do an import/export. However, as I say, if someone has gained access do this, you will be “dead in the water” already, as the compromised server will be devastating.

    • Q: I created one more web application and encrypted it.I see that no new key is created there.Did it use the same key for the 2nd application?

    • A: As far as I know, yes. The keys are generated per machine, per user to my knowledge.
    • 0