Is Encrypting A Web.config Useful?

In my last blog post I wrote about a utility has created to make it easier to encrypt web.config files hoping it would encourage more developers to protect their data. If you've ever tried doing it manually before, it isn't really a very convenient process.

Additionally, I posted the blog entry on CodeProject -- and received rather interesting response.

This article is pointless.

  • Quote any high security site that uses an encrypted config file!
  • If somebody has physical access to your config file/web server, you are as well doomed

Really? Is encrypting your web.config pointless. I don't think so. In fact, I replied back with the following.

Encrypting a web.config file isn't to defend against your server being compromised, but even if it were then I don't think you understand exactly how aspnet_regiis works. The keys are written and locked down so that only members of the Administrators group can even read it, any lesser privileged accounts still can't decrypt your web.config. Since typically website worker processes are running as NETWORK SERVICE, then unless you did something REALLY silly, your web.config should still be safe.

Even though that isn't bullet-proof security, think about this scenario -- You've have some junior developer right out of college working on a project that allows people to go out and download documents off your web server. He wants to send back the file as a download so he writes the bytes to the response stream and makes a change to the content-disposition and viola - freshly served documents all with a nice and neat little download dialog box.

But if your developer left a tiny little bug in the app and it was possible to download "../web.config" -- What would you prefer to be served up? Encrypted or unencrypted?

In my opinion, an encrypted web.config file is 100% better than no encryption at all. Logging onto the server and running aspnet_regiis was very inconvenient way to get this done - this tool was made just try and help people get it done without needing to invest a lot of time into it.

But this really got me wondering, is this really a common opinion in the development community? Is encrypting your web.config really a waste of time? I don't really think that encrypting your web.config file is the solution to all your problems - but it is some really cheap insurance that you can take out on sensitive file.

So what do you think? Is encrypting a web.config worth the time?

July 20, 2009

Is Encrypting A Web.config Useful?

Post titled "Is Encrypting A Web.config Useful?"