Encrypting section of config file using aspnet_regiis.exe - The configuration for physical path ‘*web.config' cannot be opened.
We are already aware that The ASP.NET IIS Registration tool (Aspnet_regiis.exe) is used to register ASP.NET applications with Internet Information Services (IIS). It provides us with some other features as well and maximum of them are on its MSDN article. One such feature is encryption of config file sections and that is obviously for security reasons. Here is an MSDN article How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI which focuses on this feature.
Now, purpose of writing this blog is to put some light on this feature and also pointing out one common mistake while using this feature.
1. We will look when can we get error like “The configuration for physical path ‘*\web.config' cannot be opened.”
2. Using this feature for encryption of config sections of windows/console application’s configuration file i.e. app.config
1. “The configuration for physical path ‘web.config' cannot be opened”
Maximum time this error occurs because of incorrect path of the config file. But in this case when we check the path, it seems that we have correct path. If you will closely look at the command again, you will find a difference from the one mentioned in the above MSDN article. So here is your command
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" "C:\inetpub\wwwroot\testweb\web.config" -prov "DataProtectionConfigurationProvider"
Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Decrypting configuration section...
The configuration for physical path 'C:\inetpub\wwwroot\testweb\web.config' cannot be opened.
Failed!
Did you find the difference? yes there is “web.config” specified in the command. Of course, we should specify the file name which we are targeting for encryption. But hold on, remember Aspnet_regiis.exe is only meant for websites and one more thing that there can be only one web.config file inside any folder. Even if it is web1.config, its of no use because ASP.NET engine is not going to read it. So what’s the point.
Point is that Aspnet_regiis.exe implicitly considers that specified path has web.config file and it will encrypt the specified section of that file. So you have to just specify “'C:\inetpub\wwwroot\testweb” and web.config will
be added by this tool automatically. If web.config file does not exist inside the folder it will create an empty web.config file and empty section inside it and then will encrypt it(Give it a try). Command should look like following
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" "C:\inetpub\wwwroot\testweb" -prov "DataProtectionConfigurationProvider"
Same thing applies while decryption as well and command should be like this
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pdf "appSettings" "C:\inetpub\wwwroot\testweb"
2. Using this feature for encryption of config sections of windows/console application’s configuration file i.e. app.config
Now question is how do we encrypt section of app.config file if aspnet_regiis.exe only looks for web.config file and after building app.config files have the naming convention of AppTitle.exe.config
Here is the screen shot of one such windows application with a configuration file SampleApp.exe.config.
<?xml version="1.0" encoding="utf-8" ?><configuration> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /> </startup> <appSettings> <add key="sConnectionString" value="Provider=SQLOLEDB;Data Source=Your_Server_Name;Initial Catalog=Your_Database_Name;User Id=Your_Username;Password=Your_Password;" /> </appSettings></configuration>
As we are aware of this limitation of aspnet_regiis.exe, we can find a workaround for this. Let’s fool aspnet_regiis.exe, what if we rename SampleApp.exe.config as web.config :)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>rename E:\SampleApp\SampleApp\SampleApp\bin\Release\SampleApp.exe.config web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -pef "appSettings" E:\SampleApp\SampleApp\SampleApp\bin\Release -prov DataProtectionConfigurationProvider
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>rename web.config E:\SampleApp\SampleApp\SampleApp\bin\Release\SampleApp.exe.config
Here is the screen shot of encrypted config file. So final step is to rename it back to the SampleApp.exe.config
<?xml version="1.0" encoding="utf-8" ?><configuration> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /> </startup> <appSettings configProtectionProvider="DataProtectionConfigurationProvider"> <EncryptedData> <CipherData> <CipherValue> AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAVPxdfgBHA02++GKp0N/yYgQAAAACAAAAAAADZgAAwAAAABAAAADZaWlaU2XHAEquSvyREPJWAAAAAASAAACgAAAAEAAAAPbsjf6iKY3mQ0duO6Hk0mSY AQAAiwBI8J7lX73foO39YqjhtaSZ5H+e+h0Oc4vgzc2Eegkx1Ch67MBIFek7LhEtMKN06YVWw/lTdc+llLcjcjPfzvieupil2fOLZDAc6CSbTXItunMyhJWu3vlW+O/HPTtowq/c6Hz6TzryInBAxyX8ZBLRaFOU3 JwhcjwEVoqWRZGNryO8sE5ntHEFatgiTh7pPvqtfMqd0UZz2lWWd+r/xJIr5ig6kfORkKE/plvATpey8zmTQNrxQx1v/dELislsBURDSHAmrL7CIDkbg5tQmj9cHtBh7BSUFHrK8JtCSPbTbUHVU4lcfbjMIrZ/1q inc0o0RTfhwusH+KLjSWb224E2ycxm3jubDM35dtZaGPrKCYpZS6KhaX4IVMFr5RMbdK+sJj4JLtN7O2kosM8nmYhPs+P0SUsBeJ117beE7egk5CWt7LdGXIAaRtdfEJVBFXWc5OKQGJQGWJVRPDslxgA/hviXk6y uPWS5gEc1aY+iSRAaqO+53nAEBvlurYrCp1MqjE75pTL56kcOrpYET89VN6dcDPWGFAAAALHIG4IJ0+C+oE9TkcY55KxCFkD6 </CipherValue> </CipherData> </EncryptedData> </appSettings></configuration>
Hope you like it!
Please let me know if there is any concerns or queries.
Thanks
Gaurav
Comments
Anonymous
November 13, 2013
This was a great solution and information. I have multiple config files for my windows apps and it worked like a charm. Thanks you!Anonymous
November 13, 2013
Thanks for the feedback ArchnaAnonymous
December 20, 2013
nice blog! can you please also mention how to go on and use RSA encryption algorithm or 3DES and specify key using this tool.Anonymous
December 20, 2013
Thanks Rodrigus! You can change the provider like following -prov "RsaProtectedConfigurationProvider" For more options read following MSDN articles msdn.microsoft.com/.../zhhddkxy(v=vs.100).aspx msdn.microsoft.com/.../2w117ede(v=vs.100).aspxAnonymous
January 14, 2014
can you get a more small font size?? This is too BIGGG TO READ!!!!Anonymous
February 17, 2014
I have renamed the config file and encrypted it. But I am unable to rename it to older as it say "The system cannot find the file specified"Anonymous
February 20, 2014
Hafeez, Are you sure that your directory has web.config file which you are trying to rename now back to app.config? Adam, I think you want me to increase the font size, i will try to fix this soon. :)Anonymous
March 17, 2014
I am using multiple external files for the config file. All these external files are in one common folder for easy maintenance. Example my folder "ExternalConfigs" multiple config files in different name. How do i target the specific file in case of multiple external config filesAnonymous
April 15, 2014
Garush, I am not sure if encrypting external config files is possible till now. Thanks GauravAnonymous
January 07, 2016
I had actually figured out the renaming trick myself, but it was great to find some validation that it is OK to do and works.Anonymous
January 21, 2016
Hi, After Encription web.config file for connection string, After moving config file for production the file gets overritten often at irregular intervals. Due to which our application is redirecting to login page. Kindly let me know the solutions ASAP.