The system automatically detects the encoding. The root element of the Web.Config is always <configuration> tag. The section for the configuration file looks like the listing defined below.

Listing 1
<configuration>
<!-- All Configuration settings to be here-->
</configuration>

Why encryption for Configuration?

It is very necessary that the configuration files need to be encrypted. This encryption enables the security for configuration files. Hence, they cannot be read by any text editor. The configuration files may have crucial information which should be protected.

It may contain simple User credentials or database information access information like Server name, Database Name, User ID and Password. Protected configuration enables us to encrypt sections of an ASP.NET application's Web.config file in order to protect sensitive information used by the application.

This can improve the security of our application by making it difficult for an attacker to gain access to the sensitive information even if an attacker gains access to your Web.config file.

ASP.NET includes two protected configuration providers that can be used to encrypt sections of a Web.config file:
RSAProtectedConfigurationProvider, which uses the RSACryptoServiceProvider to encrypt configuration sections, and DPAPIProtectedConfigurationProvider, which uses the Windows Data Protection API (DPAPI) to encrypt configuration sections.

A powerful feature has been introduced in ASP.NET 2.0 where the configuration file can be encrypted. Almost all the sections can be encrypted including the user defined sections. Some of the sections like <HttpRuntime> cannot be encrypted. These sections are accessed from IIS and should not be encrypted.

Encrypting the Configuration File

Encrypting the configuration file has been illustrated in form of a simple method Encrypt. The code below assumes that user is well versed with programming of C# in ASP.NET. The code below explains how AppSettings section in Web.Config can be encrypted.

Read more