5.9. Protected Configuration
Since ASP.NET 1.0, a common request has been for a way to safely store sensitive configuration information and shield it from prying eyes. The most common information that developers want to protect is connection strings because these frequently contain username-password pairs. But sorts of interesting information beyond connection strings is contained within ASP.NET configuration files. If you use the <identity /> section, you again have credentials stored in configuration. If you use classes in the System.Net namespace, you may have configuration elements listing out SMTP servers or other network endpoints and so on.
Since the 2.0 Framework, there has been a feature to deal with this problem called protected configuration. Protected configuration is a way to take selected pieces of any configuration file and store the configuration information instead in a secure and encrypted format. The great thing about the protected configuration feature is that it can be used with just about any configuration section—both ASP.NET and non-ASP.NET configuration sections. As with other features in ASP.NET, protected configuration is provider-based, so you can buy or write alternative protected configuration providers instead of using the built-in providers.
Out of the box, the .NET Framework ships with two protected configuration providers:
System.Configuration.DPAPIProtectedConfigurationProvider
System.Configuration.RsaProtectedConfigurationProvider
As the class ...
Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.