.Net ships with aspnet_regiis.exe for encrypting configuration sections in Web.Config files, but there seems to be no quick and dirty way to do this in non-web applications. Sure, if you are packaging up software into an installation package, you can add your own custom installation action to encrypt a configuration section (see The Code Project : Implementing Protected Configuration With Windows Apps). Or you can write code into your application to automatically encrypt a config section if it encounters it in an unencrypted state (see The Code Project : Encrypting the app.config File for Windows Forms Applications). If you have IIS installed on the box, you can even rename your App.config to web.config and still use aspnet_regiis (see DotNetProfessional.com: Encrypt Sections of Web.config or App.config). But what if you just want a quick way to encrypt a config section or two without all the fuss? Or, better yet, what if you forget a password or some other important secret that is already encrypted in an app.config somewhere and you need to get it back.
Here is a simple little command line app that allows you to do app.config section encryption and decryption without having to write any addtional code (The .Net framework already takes care of decrypting these values automatically for us when we use them in our code). Only this one small EXE is required and the standard MS .Net 2.0+ runtime dlls that are already installed on your system.
AppConfigSectionEncyptor.exe (7 kb)
Below are the "Usage" instructions that result from running the EXE without any parameters. "-e" is for encrypt, "-u" is for unencrypt.
Usage: AppConfigSectionEncyptor.exe [-e|-u] [-d] file section
AppConfigSectionEncyptor -e c:\MyCode\MyApp.exe mySecureSection
AppConfigSectionEncyptor -e -d c:\MyCode\MyApp.exe mySecureSection
AppConfigSectionEncyptor -u c:\MyCode\MyApp.exe mySecureSection
Please note that 'file' is the path to the EXE, not the config file itself.
Please note that you need adaquate permissions to the keystore for this to work.
-d = use the DPAPIProtectedConfigurationProvider for encryption instead of the default RSAProtectedConfigurationProvider.
I hope that you find this useful, but as always, here is the disclaimer:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF
THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS
INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT
OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE
OR PERFORMANCE OF THIS SOFTWARE.