This HTTP handler allows you to encrypt configuration files of your ASP.NET applications, without the need to have access to console of your web server to run the encryption utility from command line.

Some configuration sections of your files (like connectionStrings, for example) may contain security critical data, such as user names and passwords. Encrypting them would help in case attacker can get your web.config file - such as in case of the recent cryptographic oracle weaknes problem mentioned in Microsoft security advisory 2416728.

More about protected configuration may be found in MSDN article Encrypting Configuration Information Using Protected Configuration.

The common approach is to encrypt the web.config file from command line, using the aspnet_regiis.exe utility. But in many scenarios, running something from command line is impractical or downright impossible on your web server. So I created HTTP handler, which can be used in web hosting scenarios to encrypt and decrypt any configuration section using DataProtectionConfigurationProvider.

Installation and usage

The installation and usage is different for "full trust" web sites (such as when you are running your application on your own web server) and "medium trust" web sites (such as low-cost shared web hosting programs). In the later case you'll need cooperation of the web server administrator (web hoster).

This software is not supposed to be installed and configured permanently. You may just install the software, encrypt critical sections and unistall it. Leaving the handler active for extended periods of time poses a security risk, since anyone knowing URL of the handler can encrypt and decrypt the data.

Last edited Sep 27, 2010 at 2:28 AM by altair, version 2