Learning never exhausts the mind


In this tutorial, we will look at implementing the cryptography object in C# to encrypt and decrypt information, either passwords or connection strings and prevent unauthorised eyes from prying at your passwords.

Due to bizarre and strange legal issues, we are unable to go into any detail regarding the actual techniques involved during the encryption process, however, we can use the classes provided by Microsoft to encrypt our data. We have an article which can give you an overview of how cryptography works which you may find interesting.

In this article, we will have a look at simple string encryption and decryption with a focus on saving encrypted connection strings in the web.config or app.config files.

There are two methods for encrypting data in the web.config. There is a manual way and an automatic way. To start with we will look at manually encrypting the connection string.

string conStr = "Driver={SQL Native Client};Server=myServerAddress;Database=myDataBase;Uid=myUsername;Pwd=myPassword;";

This is a typical connection string to a SQL server with a username and password. This is not the sort of information that should be accessible but stored like this it can be accessed by anyone who can view the C# source code (not the HTML source code sent to browser unless a coding error includes it.)

It would be far better to encrypt this string so that it is meaningless without a proper decryption. We can do this with a simple base64 encoding which will only be effective against a casual reader and is not secure, or we can implement one of the many encryption routines supported by .Net. In this example, we will use the DES method.

All of the encryption methods require binary data as an input and they all return binary data. When you are encrypting strings they will need to be converted to binary beforehand.

// The plain string to encrypt
string plaintextString = "This is an encryption test";

// Binary representation of plain text string
byte[] plaintextBytes = (new UnicodeEncoding()).GetBytes(plaintextString);

Next, we need to create a memory stream to hold the result data and an encryption algorithm.

// Encrypt using DES
SymmetricAlgorithm sa = DES.Create();
MemoryStream msEncrypt = new MemoryStream();
CryptoStream csEncrypt = new CryptoStream(msEncrypt, sa.CreateEncryptor(), CryptoStreamMode.Write);
csEncrypt.Write(plaintextBytes, 0, plaintextBytes.Length);
byte[] encryptedTextBytes = msEncrypt.ToArray();

Where the encrypted data is now stored within encryptedTextBytes. Decryption is the reverse procedure using a decryption algorithm.

MemoryStream msDecrypt = new MemoryStream(encryptedTextBytes);
CryptoStream csDecrypt = new CryptoStream(msDecrypt, sa.CreateDecryptor(), CryptoStreamMode.Read);
byte[] decryptedTextBytes = new Byte[encryptedTextBytes.Length];
csDecrypt.Read(decryptedTextBytes, 0, encryptedTextBytes.Length);

string decryptedTextString = (new UnicodeEncoding()).GetString(decryptedTextBytes);

You can now use the encrypted text to store. Note: a password has not been used to encrypt this data, so it can still be decrypted using the machine hash key.

The best solution is to use the automatic section protection feature of .Net. This is done using a WebConfigurationManager and RsaProtectedConfigurationProvider and can protect the entire appsettings section.

using System.Web.Configuration;

private void EncryptAppSettings()  
    Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    AppSettingsSection objAppsettings = (AppSettingsSection)objConfig.GetSection("appSettings");
    if (!objAppsettings.SectionInformation.IsProtected)
        objAppsettings.SectionInformation.ForceSave = true;
private void DecryptAppSettings()
    Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
    AppSettingsSection objAppsettings = (AppSettingsSection)objConfig.GetSection("appSettings");
    if (objAppsettings.SectionInformation.IsProtected)
        objAppsettings.SectionInformation.ForceSave = true;

This code will effectively encrypt the entire appSettings section to make it unviewable by people with access to the web server, but should not have access to the settings (i.e. server administrator). Below is a before and after shot of a protected appSettings section.

  <add key="connectionString" value="Driver={SQL Native Client};Server=myServerAddress;Database=myDataBase;Uid=myUsername;Pwd=myPassword;"/>
  <add key="test" value="this is a test"/>
<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
     <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <KeyName>Rsa Key</KeyName>

You can still use the appSettings as normal, the only change is the way the data is held within the file.


Did you enjoy this post? Let others know!

If you enjoyed this post, please share it with others. Click one of the social media buttons below to share on Facebook, Twitter, LinkedIn, Pinterest or email to a friend.

Leave a Reply

Fields marked with * are mandatory.

We respect your privacy, and will not make your email public. Hashed email address may be checked against Gravatar service to retrieve avatars. This site uses Akismet to reduce spam. Learn how your comment data is processed.