Automatically encrypt sections of web.config after deploy / publish?

Question

I have 2 related questions:

What is the best way to managing deployment of web projects between environments? I just downloaded the .NET Web Deployment Project and it seems to handle things like replacing certain sections of the web.config to match the environment, which is great. The other thing that I wanted to automate was the encryption of certain sections of the web.config. Is there any way to 'auto-encrypt' the web.config sections after a publish?

The second question was...where do you store your passwords in a web.config? I want to encrypt the password but not the rest of the appSettings. Do I have to make a custom web.config configuration setting area?

Answer 1

Hey Joel - the web deployment project is a bit dated now - check out the MS Deploy tool instead (it will be shipping with vs2010, but it's available stand-alone now). What you're asking is probably not handled out of the box with MSDeploy (machine-specific DPAPI encryption), but since the tool is integrated with powershell, you can use the powershell v2 CTP3 remoting feature to run the script to encrypt your configs on each machine, remotely (which is the only way you can access machien-local DPAPI anyway.)

This guy here does something similar:

http://forums.iis.net/p/1156413/1904975.aspx

-Oisin

Answer 2

We use RSA Protected Configuration to encrypt sections of our web.config manually after the webapp has been deployed to the new environment. The OS protects the keys for us. Hopefully that's helpful as you figure out how to automate your solution.