During a security assessment we were asked to encrypt the configuration files, mainly the files which contains critical credentials like connectionString.config etc.
During old days when we were doing the painful MSI deployments for Sitecore, we were encrypting the configuration files manually using batch files. We were using ASP.NET IIS Registration Tool for the encryption and decryption.
If you want to encrypt the file execute the following on command prompt:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pef “connectionStrings” “C:\inetpub\wwwroot\YOUR_WEBSITE\Website”
If you want to decrypt the file execute the following on command prompt:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf “connectionStrings” “C:\inetpub\wwwroot\YOUR_WEBSITE\Website”
This is how your connectionString.config will looks like after decryption:
To about the ASP.NET Registration Tool, please click here.
How about when Deploying using Octopus?
Later on we improved the deployment process using Octopus for CI/CD. We followed the following approach to implement encryption during the Octopus Deployments:
Add a STEP Template for Encryption:
Custom step templates can be based on a built-in or installed community step templates. These custom step templates can be reused in projects and managed in the step template library.
On a Step Template you can write you own custom script which can be either one of those: Powershell, C#, Bash, Python or F#. We chosen a Powershell Script for you STEP Template. It have two Parameters:
$ODSP_ConfigPath: In this parameter we need to pass the path where web.config exists.
$ODSP_ConfigSection: In this parameter we will pass the name of config section which we need to encrypt/decrypt. For ex in our web.config we have a configuration named connectionStrings which refers to the path of the connectionString.config file.
So the STEP template will looks for the Web.config at the given path the inside the web.config it will look for the config section we provided in the other parameter. Thus is will find the path for connectionStrin.config to encrypt/decrypt.
The STEP Tab:
The Parameters Tab:
Add a Process to call STEP template:
Once the STEP Template added now it the time to add a PROCESS in the actual deployment process. On the PROCESS, provide the value for both the parameters for STEP Template.
Make sure both the PROCESS and STEP Templates are part of your project and being used during the deployments. Now after the next Deployment you should see the connectionString.config encrypted.