Is Encrypting App Settings File More Secure Than Encrypting Only the App Setting Contents?

I have a question about the security of encrypting app settings files and app setting contents.

enter image description here

I have encrypted the content by running the following command:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
aspnet_regiis.exe -pef "secureAppSettings" "your application web config path" -prov >> "DataProtectionConfigurationProvider"

This generated the following encrypted file:

enter image description here

However, since our app settings are accessible to users on all devices, how safe is it? They can still copy it. So, what is the solution? Do I need to encrypt the app setting file itself?

Answer

Encrypting the complete file or encrypting only the entry will provide the same level of security regarding this entry. There is no practical difference; they offer the same protection against the same threat.

Side note: Please note, however, that if an end user can reverse-engineer your application or read its memory, they can discover the encryption key and recover the encrypted password. So, while encrypting can provide some amount of security against common users, it is not enough to resist a motivated attacker with access to the running application. But maybe those attackers do not exist in your threat model. In this case, encrypting this entry may be pointless, and proper access control would be enough. Only you can answer those questions.

Leave a Reply

Your email address will not be published. Required fields are marked *