ASP.Net offers the possibility to encrypt sections in the web.config automatically. It seems not possible for WinForm applications to do that for the app.config. And this is true for a part: WinForms does not offer tools to configure it. But it can be done. It is all .Net. Isn’t it? So how do we do it? Read on and see how.

First let me explain something about the configuration files in .Net. The app.config and web config are divided into sections. The encrypting and decrypting operation are performed on sections and not on the file as a whole.

Developers can extent a configuration file by defining custom sections. This can be done by adding a section tag to the configSections element or the sectionGroup element like in the example below. The name attribute of section element specifies the name of the new section. The type attribute specifies the handler that processes the configuration section: it gets the data out of the section. As you can see in the example below I implemented both scenarios.

<span style="color: #2b91af">2</span> <span style="color: blue">&lt;</span><span style="color: #a31515">configuration</span><span style="color: blue">&gt;</span> 
<span style="color: #2b91af">3</span> <span style="color: blue">&lt;</span><span style="color: #a31515">configSections</span><span style="color: blue">&gt;</span> 
<span style="color: #2b91af">4</span> <span style="color: blue">&lt;</span><span style="color: #a31515">section</span><span style="color: blue"> </span><span style="color: red">name</span><span style="color: blue">=</span>"<span style="color: blue">Vault</span>"<span style="color: blue"> </span><span style="color: red">type</span><span style="color: blue">=</span>"<span style="color: blue">System.Configuration.NameValueSectionHandler</span>"<span style="color: blue"> /&gt;</span> 
<span style="color: #2b91af">5</span> <span style="color: blue">&lt;</span><span style="color: #a31515">sectionGroup</span><span style="color: blue"> </span><span style="color: red">name</span><span style="color: blue">=</span>"<span style="color: blue">applicationSettings</span>"<span style="color: blue"> </span>
<span style="color: blue">		</span><span style="color: red">type</span><span style="color: blue">=</span>"<span style="color: blue">System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0, </span>
<span style="color: blue">		      Culture=neutral, PublicKeyToken=b77a5c561934e089</span>"<span style="color: blue"> &gt;</span> 
<span style="color: #2b91af">6</span> <span style="color: blue">&lt;</span><span style="color: #a31515">section</span><span style="color: blue"> </span><span style="color: red">name</span><span style="color: blue">=</span>"<span style="color: blue">EncryptConnStringsSection.My.MySettings</span>"<span style="color: blue"> </span>
<span style="color: blue">	   </span><span style="color: red">type</span><span style="color: blue">=</span>"<span style="color: blue">System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, </span>
<span style="color: blue">                 Culture=neutral, PublicKeyToken=b77a5c561934e089</span>"<span style="color: blue"> </span>
<span style="color: blue">           </span><span style="color: red">requirePermission</span><span style="color: blue">=</span>"<span style="color: blue">false</span>"<span style="color: blue"> /&gt;</span> 
<span style="color: #2b91af">7</span> <span style="color: blue">&lt;/</span><span style="color: #a31515">sectionGroup</span><span style="color: blue">&gt;</span> 
<span style="color: #2b91af">8</span> <span style="color: blue">&lt;/</span><span style="color: #a31515">configSections</span><span style="color: blue">&gt;</span> 
<span style="color: #2b91af">9</span> <span style="color: blue">&lt;</span><span style="color: #a31515">connectionStrings</span><span style="color: blue">&gt;</span> 
<span style="color: #2b91af">10</span> <span style="color: blue">&lt;</span><span style="color: #a31515">add</span><span style="color: blue"> </span><span style="color: red">name</span><span style="color: blue">=</span>"<span style="color: blue">EncryptConnStringsSection.My.MySettings.testConn</span>" 
<span style="color: #2b91af">11</span> <span style="color: red">connectionString</span><span style="color: blue">=</span>"<span style="color: blue">Data Source=kissvr07;Initial Catalog=ProjectX_Dev;Integrated Security=True</span>"<span style="color: blue"> /&gt;</span> 
<span style="color: #2b91af">12</span> <span style="color: blue">&lt;/</span><span style="color: #a31515">connectionStrings</span><span style="color: blue">&gt;</span> 

Now that I have explained how to create sections in the app.config let’s go on to show how to encrypt a section. It is really a simple operation. And once a section has been encrypted you do not have to worry about decrypting it. The .Net framework does it automatically for you. It is a transperant operation and works as if you did not encrypt the section.

The configuration namespace contains a class that represents a section. This class is called ConfigurationSection. A member of this class is the ElementInformation property. This property gets information about a section and it has the method ProtectSection defined on it. This method encrypts the section. Out of the box the are two encryption algorithms supported via providers: DPAPIProtectedConfigurationProvider and RSAProtectedConfigurationProvider. The default provider is RSAProtectedConfigurationProvider. You use the default provider by passing Nothing/null as a parameter to the ProtectSection method.

I wrote the following class to demonstrate this method.

<span style="color: #2b91af">1</span> <span style="color: blue">Imports</span> System.Configuration 
<span style="color: #2b91af">2</span> 
<span style="color: #2b91af">3</span> <span style="color: green">''' </span><span style="color: gray">&lt;summary&gt;</span> 
<span style="color: #2b91af">4</span> <span style="color: green">''' This class protects (encrypts) a section in the applications configuration file.</span> 
<span style="color: #2b91af">5</span> <span style="color: green">''' </span><span style="color: gray">&lt;/summary&gt;</span> 
<span style="color: #2b91af">6</span> <span style="color: green">''' </span><span style="color: gray">&lt;remarks&gt;</span><span style="color: green">The </span><span style="color: gray">&lt;seealso cref="RsaProtectedConfigurationProvider" /&gt;</span><span style="color: green"> is used in this implementation.</span><span style="color: gray">&lt;/remarks&gt;</span> 
<span style="color: #2b91af">7</span> <span style="color: blue">Public</span> <span style="color: blue">Class</span> ConfigSectionProtector 
<span style="color: #2b91af">8</span> 
<span style="color: #2b91af">9</span> <span style="color: blue">Private</span> m_Section <span style="color: blue">As</span> <span style="color: blue">String</span> 
<span style="color: #2b91af">10</span> 
<span style="color: #2b91af">11</span> <span style="color: green">''' </span><span style="color: gray">&lt;summary&gt;</span> 
<span style="color: #2b91af">12</span> <span style="color: green">''' Constructor.</span> 
<span style="color: #2b91af">13</span> <span style="color: green">''' </span><span style="color: gray">&lt;/summary&gt;</span> 
<span style="color: #2b91af">14</span> <span style="color: green">''' </span><span style="color: gray">&lt;param name="section"&gt;</span><span style="color: green">The section name.</span><span style="color: gray">&lt;/param&gt;</span> 
<span style="color: #2b91af">15</span> <span style="color: blue">Public</span> <span style="color: blue">Sub</span> <span style="color: blue">New</span>(<span style="color: blue">ByVal</span> section <span style="color: blue">As</span> <span style="color: blue">String</span>) 
<span style="color: #2b91af">16</span> <span style="color: blue">If</span> <span style="color: blue">String</span>.IsNullOrEmpty(section) <span style="color: blue">Then</span> <span style="color: blue">Throw</span> <span style="color: blue">New</span> ArgumentNullException(<span style="color: #a31515">"ConfigurationSection"</span>) 
<span style="color: #2b91af">17</span> 
<span style="color: #2b91af">18</span> m_Section = section 
<span style="color: #2b91af">19</span> <span style="color: blue">End</span> <span style="color: blue">Sub</span> 
<span style="color: #2b91af">20</span> 
<span style="color: #2b91af">21</span> <span style="color: green">''' </span><span style="color: gray">&lt;summary&gt;</span> 
<span style="color: #2b91af">22</span> <span style="color: green">''' This method protects a section in the applications configuration file. </span>
<span style="color: #2b91af">23</span> <span style="color: green">''' </span><span style="color: gray">&lt;/summary&gt;</span> 
<span style="color: #2b91af">24</span> <span style="color: green">''' </span><span style="color: gray">&lt;remarks&gt;</span><span style="color: green">The </span><span style="color: gray">&lt;seealso cref="RsaProtectedConfigurationProvider" /&gt;</span><span style="color: green"> is used in this implementation.</span><span style="color: gray">&lt;/remarks&gt;</span> 
<span style="color: #2b91af">25</span> <span style="color: blue">Public</span> <span style="color: blue">Sub</span> ProtectSection() 
<span style="color: #2b91af">26</span> <span style="color: green">' Get the current configuration file.</span> 
<span style="color: #2b91af">27</span> <span style="color: blue">Dim</span> config <span style="color: blue">As</span> Configuration = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None) 
<span style="color: #2b91af">28</span> <span style="color: blue">Dim</span> protectedSection <span style="color: blue">As</span> ConfigurationSection = config.GetSection(m_Section) 
<span style="color: #2b91af">29</span> 
<span style="color: #2b91af">30</span> <span style="color: green">' Encrypts when possible</span> 
<span style="color: #2b91af">31</span> <span style="color: blue">If</span> ((protectedSection <span style="color: blue">IsNot</span> <span style="color: blue">Nothing</span>) _ 
<span style="color: #2b91af">32</span> <span style="color: blue">AndAlso</span> (<span style="color: blue">Not</span> protectedSection.IsReadOnly) _ 
<span style="color: #2b91af">33</span> <span style="color: blue">AndAlso</span> (<span style="color: blue">Not</span> protectedSection.SectionInformation.IsProtected) _ 
<span style="color: #2b91af">34</span> <span style="color: blue">AndAlso</span> (<span style="color: blue">Not</span> protectedSection.SectionInformation.IsLocked) _ 
<span style="color: #2b91af">35</span> <span style="color: blue">AndAlso</span> (protectedSection.SectionInformation.IsDeclared)) <span style="color: blue">Then</span> 
<span style="color: #2b91af">36</span> <span style="color: green">' Protect (encrypt)the section.</span> 
<span style="color: #2b91af">37</span> protectedSection.SectionInformation.ProtectSection(<span style="color: blue">Nothing</span>) 
<span style="color: #2b91af">38</span> <span style="color: green">' Save the encrypted section.</span> 
<span style="color: #2b91af">39</span> protectedSection.SectionInformation.ForceSave = <span style="color: blue">True</span> 
<span style="color: #2b91af">40</span> config.Save(ConfigurationSaveMode.Full) 
<span style="color: #2b91af">41</span> <span style="color: blue">End</span> <span style="color: blue">If</span> 
<span style="color: #2b91af">42</span> <span style="color: blue">End</span> <span style="color: blue">Sub</span> 
<span style="color: #2b91af">43</span> <span style="color: blue">End</span> <span style="color: blue">Class</span> 

As you can see this class also has a method ProtectSection. Basically it gets section information out of the app.config and checks if it can be encrypted. If so it protects the section using the default encryption provider and it saves it. And it’s done.

Protecting connectionstrings

It is simpler to protected or unprotect connectionstrings. It can be done with the following code sample:

<span style="color: #2b91af">1</span> <span style="color: green">' Connection string encryption</span> 
<span style="color: #2b91af">2</span> <span style="color: blue">Dim</span> config <span style="color: blue">As</span> Configuration = _ 
<span style="color: #2b91af">3</span> ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None) 
<span style="color: #2b91af">4</span> config.ConnectionStrings.SectionInformation.ProtectSection(<span style="color: blue">Nothing</span>) 

Updated: I published it on The Codeproject. It may be more update there. Check it out.