How to encrypt sections in web.config and to share among the servers


Considering you have 2 iis servers (SERVER#1 and SERVER#2) which share the same web.config file. You would like to encrypt the sections in the file for security consideration. How to make it work on both servers after the encryption?



1.Create a new key container with the name of MyKeys on the SERVER#1:

aspnet_regiis -pc “MyKeys” -exp

2.Add configProctedData section into the config to be encrypted



<add name=”MyProvider”

type=”System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=4.0.30319.0,

Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,processorArchitecture=MSIL”


useMachineContainer=”true” />




1) The PublicKeyToken depends on the dll version, you can use sn.exe to get this:


2) This section should be added after <configSections>, or this section will be automatically removed after the encryption as it can only be existing as the first child of the <configuration>

3) Set KeyContainerName with the name of the key container just created

4) Set processorArchitecture based on the architecture you have

5) You can change name MyProvider as you like


3. Encrypt the section by using the command as below: eg: application-name: MyApplication, section: connectionStrings

aspnet_regiis -pe “connectionStrings” -app “/MyApplication” -prov “MyProvider”

4. Export the key container to a file:

 aspnet_regiis -px “MyKeys” “c:\keys.xml” -pri

5. Copy the c:\keys.xml to the SERVER#2

6. Import the key container from the file

aspnet_regiis -pi “MyKeys” “c:\keys.xml”

7. Grant permission to the application pool identity, eg: NT AUTHORITY\NETWORK SERVICE:

aspnet_regiis -pa “MyKeys” “NT AUTHORITY\NETWORK SERVICE”


Jinjie ZHOU from DSI team.

Comments (0)

Skip to main content