Home/ Questions/Q 6918883
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T09:55:00+00:00

To encrypt web.config sections on both sites in a farm and single servers, from

  • 0

To encrypt web.config sections on both sites in a farm and single servers, from what I understand using the following command will encrypt my web.config connection strings using the local machine key

aspnet_regiis.exe -pef “connectionStrings” “C:\website\mywebsite”

However I could create my own keys using the -pc operator and use something like this:

 <configProtectedData>
  <providers>
     <add name="MyProvider"
          type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
                Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
                processorArchitecture=MSIL"
          keyContainerName="MyKeys" 
          useMachineContainer="true" />
  </providers>

What I don’t understand is what is the difference? Is RSAProtectedConfigurationProvider less secure as its using the machine key and not possible to change? Should I use my own keys so I can change them? Which is the recommended solution for both a farm and single server? Or is there a better way to encrypt these sections without having to change or write any code?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For a single server you can reuse the key container installed by ASP.NET, if I’m not mistaken it’s called NetFrameworkConfigurationKey, you just need to make sure that you give the account running your ASP.NET site the proper permissions to the key container.

    For a Web Farm is better to create a custom key container in a machine and then export it to all other machines in the Web Farm, this way you can reuse the same encrypted config file saving you the time to encrypt the file in each Web Farm machine. However, this is not mandatory, you can deploy an unencrypted configuration file and encrypt it in each machine using each machine ASP.NET default key container.

    Also the question title is a little misleading, when it comes to encryption you should always use a well established library and not go the roll your own custom encryption logic, which is difficult and easy to get wrong.

    In terms of using a custom key container or reusing the one installed by ASP.NET with the RsaProtectedConfigurationProvider there is no difference in terms of the level of security provided.

    • 0