Encrypting a web.config file

1. Publish your web application to IIS

2. Determine the identity of your application

This is often going to be IIS APPPOOL[Your application pool name]</strong>. Mine for example is <strong>“IIS APPPOOLDefaultAppPool. If you wish to verify this, it is accessible via the following line of code:


3. Grant ASP.NET read access to the RSA key container

The RSA key container contains the RSA key data that is used to encrypt and decrypt the web.config file. ASP.NET needs to be able to access the key container in order to perform this operation. To grant access, open the command prompt as administrator and navigate to the following directory:

C:WindowsMicrosoft.NETFramework[.NET Framework Version]

Then, execute the following command:

 aspnet_regiis –pa “NetFrameworkConfigurationKey” “[Your application identity]”

Don’t forget the quotation marks around the final two values. If this fails, you may have forgotten to run the command prompt as administrator. Keep your command prompt open.

4. Generate the keys

The keys for encryption and decryption need to be generated and written to your web.config file. This is done after the application is published to IIS. In IIS8 generating keys is easy. Simply navigate to your website in the IIS manager and click on “Machine Key”.

Then in the following window in the “Actions” bar on the right, click “Generate Keys”, followed by “Apply”.

Now, open your deployed web.config file and verify that there is an entry called

What this does is insert a key into the web.config file of the selected application, allowing its sections to be encrypted and decrypted by IIS.

5. Encrypt the data

Go back to the command prompt that you used to grant access to the RSA container. Type the following command:

aspnet_regiis -pe “[Path to the config element]” -app “/[Virtual path to your application]”

Again, don’t forget the quotation marks. This command does two main things :

  1. Looks in the configuration file of the given application for the given configuration element and encrypts it.
  2. Specifies to ASP.NET that this element in this application needs to be decrypted before it is accessed.

Once you have finished encrypting the desired sections, you need to finish by encrypting the machine key. Do this by passing system.web/machineKey as the first argument to the above command.

That’s all there is to it. IIS will be able to read the encrypted configuration settings and your sensitive data will be obscured from anybody who has access to the web.config. Should you ever need to decrypt a section, simply run the encryption command, specifying -pd instead of -pe.