Jump to content

Recommended Posts

Posted

This forum post will show you how to encrypt and decrypt your web.config file.  This file by default is located in c:\inetpub\passwordstate folder on your webserver.

 

A standard web.config file will be in clear text, and two important parts of this file with sensitive are the "Connection String" section, and the "AppSettings" section. 

 

The ConnectionString section holds the credentials that your Passwordstate website uses to connect to your database.  So it will contain the server name, the database name and database instance if it is applicable, and the SQL username and password.

 

The AppSettings section contains the two Secret Keys which are used to protect your website from being accessed if your database is stolen, and the setup stage of your install.

 

A clear text web.config file looks like this:

2024-01-30_13-14-35.png

 

An encrypted web.config file looks like this:

2024-01-30_13-12-14.png

 

As you can see, the encrypted web.config file is not readable when it is encrypted, and this can protect your information in the event your web server has been compromised.

 

Encrypting Web.config file:

To encrypt of decrypt the different sections of the web.config file, please follow these instructions below.

 

Step 1:

Open a command prompt as Administrator

 

Step 2:

Change directories by copying and pasting the following code into your command prompt, and hit enter:  CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319

 

Step 3:

To encrypt the connectionString section, execute this line of code:  aspnet_regiis.exe -pef "connectionStrings" "c:\inetpub\passwordstate"

 

To encrypt the AppSettings section, execute this line of code:  aspnet_regiis.exe -pef "appSettings" "c:\inetpub\passwordstate"

 

 

Decrypting the web.config file:

To decrypt the web.config file, the code you execute is only slightly different:

 

Step 1:

Open a command prompt as Administrator

 

Step 2:

Change directories by copying and pasting the following code into your command prompt, and hit enter:  CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319

 

Step 3:

To decrypt the connectionString section, execute this line of code:  aspnet_regiis.exe -pdf "connectionStrings" "c:\inetpub\passwordstate"

 

To decrypt the AppSettings section, execute this line of code:  aspnet_regiis.exe -pdf "appSettings" "c:\inetpub\passwordstate"

 

 

 

Notes:

Note 1: Decrypting the web.config file must be carried out on the same server where it was encrypted, otherwise this process will not work.  This is part of the security and is built in to the operating system.  If you are migrating your Passwordstate website to a new server, it must be decrypted first on the old server, otherwise your website will not load. 

 

Note 2: If you encrypt the AppSettings section of your web.config file, it is imperative you keep an exported copy of your encryption keys in a safe place, as they may be required in the event of a server rebuild, or server move. You can export your encryption keys to a password protected zip file under Administration -> Encryption Keys once you have access to your website. The Passwordstate built backup feature can also take a backup of your encryption keys on a regular schedule. Please see Click Studios documentation page for links on how to set this up: https://www.clickstudios.com.au/documentation/

 

Note 3: If you intend to rename your server host name, or move your Passwordstate install to a different server, you should decrypt your web.config file first, and re-encrypt it again once the renaming is complete..

 

If you have any more questions about this, please contact Click Studios support via email, and we'll help in any way we can.

 

Regards,

Support.

 

2024-01-30_13-07-01.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...