Encrypt App.config section using PowerShell as a Post-build event
It is very easy to encrypt a section of the Web.config file using Aspnet_regiis.exe tool, but there is no equivalent tool to encrypt a section of an application configuration file (App.config). It can be done very easily in code, as explained in this post, but there is now way to do that automatically. So I decided to write a PowerShell script that would encode a section of the given application’s configuration file.
Here is what it looks like:
param( [String] $appPath = $(throw "Application exe file path is mandatory"), [String] $sectionName = $(throw "Configuration section is mandatory"), [String] $dataProtectionProvider = "DataProtectionConfigurationProvider" ) #The System.Configuration assembly must be loaded $configurationAssembly = "System.Configuration, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a" [void] [Reflection.Assembly]::Load($configurationAssembly) Write-Host "Encrypting configuration section..." $configuration = [System.Configuration.ConfigurationManager]::OpenExeConfiguration($appPath) $section = $configuration.GetSection($sectionName) if (-not $section.SectionInformation.IsProtected) { $section.SectionInformation.ProtectSection($dataProtectionProvider); $section.SectionInformation.ForceSave = [System.Boolean]::True; $configuration.Save([System.Configuration.ConfigurationSaveMode]::Modified); } Write-Host "Succeeded!"
Some explanation on the script:
- System.Configuration assembly must be loaded. To do this, I use a technique described in a post from Lee Holmes.
- The default data protection provider is DataProtectionConfigurationProvider. Still, you can specify another provider (for example, RSAProtectedConfigurationProvider) as a third argument.
Believe it or not, that was the easy part.
The next step is to run this script automatically as a Post-build event in Visual Studio, so the .config file that is "built" is encrypted. Sounds very easy, but is actually tricky, I had to try many times to get it right.
I will give it straight away, here is the command to put in the Post-build event:
powershell "& ""C:\Documents and Settings\VlericP\My Documents\WindowsPowerShell\EncryptAppConfigSection.ps1""" '$(TargetPath)' 'connectionStrings'
There are lot of quotes, but this is the only way to get it working. For detailed explanations on why, see this post: Invoking a PowerShell script from cmd.exe (or Start | Run).
Using this, you can have your App.config file unencrypted in your solution, and when you build the output .config file is encrypted.
Comments
One Response to “Encrypt App.config section using PowerShell as a Post-build event”
Leave a Reply
I’m thinking this stores the decryption key on the machine that it was encrypted on, correct? Is there anyway to do this so that it can be encrypted when built but also used on other machines? I know that would be pretty weak encryption, but it would keep it from prying eyes of people who don’t know how to decrypt.