Encrypt your connection strings for multiple machines

by: Per Bjurström


  • You have one or more connection strings in a web application that you are running on multiple development and/or production machines.
  • The connection strings are identical in all environments so it would be convenient to have the encrypted version checked-in to source control and just deploy the keys to whatever machines that are running the application.


Dislaimer: I haven't actually tested this with EPiServer CMS 5 but it should work, I'm currently using this technique on another web application in development.

Step by step

1. Store the connection strings <connectionStrings>-section in the local web.config of your application, read more about the connectionStrings-section here. And replace the name AppX with the name of your application in the upcoming steps.

2. Start a Visual Studio Command prompt (right-click and select 'Run as administrator' if you are in Windows Vista)

3. Create exportable keys on your machine:
aspnet_regiis -pc "AppXKeys" -exp

4. Add a section with a custom provider in web.config:

  <add keyContainerName="AppXKeys"
           name="AppXKeysProvider"       type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

5. Run this command to encrypt your connection strings (make sure you change the path to the location of your project):
aspnet_regiis -pef connectionStrings "c:\Users\Per.000\Docum
ents\Visual Studio 2005\Projects\AppX\AppX" -prov "AppXKeysProvider"

6. Now export your keys into the project (and again; change the path):
aspnet_regiis -px "AppXKeys" "c:\Users\Per.000\Documents\
Visual Studio 2005\Projects\AppX\AppX\AppXKeys.config" -pri

7. Include the file in your project in Visual Studio and add it to source control but make sure you change Build Action to None so it doesnt get published to a production server by mistake.

8. Copy the AppXKeys.config file to  the production machine or whatever machine you are deploying to and run this command to import the keys:
aspnet_regiis.exe -pi AppXKeys c:\AppXKeys.config

9. Delete the AppXKeys.config file on the production machine.

10. For IIS to be able to read your keys you have to give the Application Pool account the permissions required to access the key container. Run this command to give the default account on Windows Server 2003 the required permissions:

aspnet_regiis -pa "AppXKeys" "NT Authority\Network Service"

That's it, your done.

Troubleshooting "Bad data" error message

Let me guess, you missed the -pri paramter in step 6 ? That's what I did the first time I tried to get this working. Another source of error is misspelled key container names, in this example make sure you use the same name "AppXKeys" in all places.

Troubleshooting "The RSA key container could not be opened"

The most likely source of this error is access rights, make sure that the application pool your application is running under is given the correct access rights in step 10.


Storing and Retrieving Connection Strings
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
Securing Connection Strings 

14 November 2007


Post a comment    
User verification Image for user verification  
EPiTrace logger