Using the DPAPI in ASP.NET

Although the resources mentioned above provide the base knowledge for using the DPAPI, the code examples are written in C# and are not integrated with the ASP.NET configuration system. To implement the DPAPI in your ASP.NET Web application, you can use the following simple steps.

Step one
Download and compile the DataProtector class shown in Listing A in a class library application. This class is the Visual Basic .NET version of the C# code published on MSDN, with several enhancements. First, the DataProtector class is included in the Microsoft.Win32.DPAPI namespace to make it simple to find. Second, I’ve added the overloaded EncryptString and DecryptString methods that work on plain text and base64-encoded strings rather than only on byte arrays. These methods are ideal for reading and writing data to the Web.config file.

Step two
Write a small console application that uses the DataProtector class to encrypt the connection string using code like this:
Dim e As String = DataProtector.EncryptString("Application Name=intranet; Password=atomicdoesitbetter;User ID=atomic;Initial Catalog=AtomicDotNet;Data Source=127.0.0.1;", "intranet")

Then, copy the resulting base64-encoded string to the Web.config file and place it in an application-specific configuration section, as shown in Listing B. Note that you’ll need to run the console application on the IIS server to generate the encrypted base64-encoded string. This is because the EncryptString function instructs the DPAPI to use the machine-wide key, so the encryption and decryption will be valid only on the same machine. This is particularly important if you’re running in a Web farm scenario. You’ll notice that the EncryptString function in the snippet above also passes in the secondary entropy value—in this case, the name of the application.

Step three
Create a configuration section handler class like that shown in Listing C. This class reads the atomicSettings section of the Web.config file automatically. The class can be registered in the configuration section of the Web.config file like so:
<configSections>
 <section name="atomicSettings" type="Atomic.Web.Utils, intranetApp"  />
</configSections>

Now, whenever the application is restarted or the Web.config file is changed, the ASP.NET application will invoke the Create method of the Utils class. This method will read the encrypted string from the Web.config file and decrypt it by calling the DataProtector’s DecryptString method. This value will then be exposed to the application via the shared (static) ConnectString property. This way, all the code in the application needs to do to access the connection string is this:
Dim c As String = Atomic.Web.Utils.ConnectString

As a result, the connection string is safely encrypted in Web.config, and yet code in the application is abstracted from the details involved in decrypting this value.

Effectively protect sensitive data
By coupling the ASP.NET configuration system with the DPAPI, ASP.NET developers can effectively and efficiently protect sensitive data such as connection strings stored in the Web.config file.