C# – Provider not found when encrypting web.config

asp.netcencryptionweb.config

I'm trying to encrypt a custom section in a web.config file.
When I get to the line that calls ProtectSection(), I get an exception saying the provider isn't found.

Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);  
ConfigurationSection section = config.GetSection("MySection");  
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");

I tried it with RSA as well and got the same error.
Running aspnet_regiis.exe works, but I need to do this programatically. What am I missing?

Thank you.

Best Answer

You are right to use `DataProtectionConfigurationProvider' (see here for the provider names - the provider name for dpapi doesn't have dpapi in it - but the provider for rsa does), however, your problem is that you can't run iisreg on a section named "MySection" - it has to be certain sections.

What the message means is that there is no provider available for use with that particular section.

To test your code, however, you might try it with "AppSettings" or "connectionStrings" or "system.net/mailSettings/smtp". - all of which work with aspnet_regiis.exe.

See this other Stack Exchange thread about how to encrypt custom sections.

Related Solutions

R – Encrypting web.config using Protected Configuration pointless

You need at least write access to the filesystem to be able to decrypt it, assuming you're using the DPAPI provider. Ways to decrypt it include:

Copy an aspx page containing decryption code to the server and navigate to it
Log in on the server and run an application to decrypt it.

But it protects against decryption by an unauthorised user who has read access to the filesystem or a backup of the filesystem.

Typically you would set up your production servers so that only authorized adminstrators can log in to the server or write to its filesystem.

Developers might have remote read access for support purposes, and would not be able to decrypt the config file remotely.

Encryption/decryption is easy with standard libraries: the hard part is ensuring only authorized people have access to the keys.

If you're using DPAPI, you're essentially delegating management of the keys to Windows security. If you use another provider such as RSA, you need to store the key somewhere, and protect it against unauthorized access e.g. using an ACL.

Using ASPNet_Regiis to encrypt custom configuration section – can you do it

aspnet_regiis must be able to bind the assembly. The normal .net binding rules apply.

I get around this by creating directory called aspnet_regiis_bin in the same directory as aspnet_regiis.exe and an aspnet_regiis.exe.config file with aspnet_regiis_bin as a private path like this:

<configuration>
   <runtime>
      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
         <probing privatePath="aspnet_regiis_bin"/>
      </assemblyBinding>
   </runtime>
</configuration>

I then copy the assemblies that define the custom configuration sections into aspnet_regiis_bin so that aspnet_regiis can find them.

This procedure doesn't require the assemblies to be strong named or in the GAC but does require messing around in the framework directories.

Best Answer

Related Solutions

R – Encrypting web.config using Protected Configuration pointless

Using ASPNet_Regiis to encrypt custom configuration section – can you do it

Related Topic