Securing your Web.config File

Click Studios has always strongly recommended that customers encrypt both their Database Connection String and their appSettings Sections of their Web.config file.

These are considered part of Click Studios Best Practice approach for securing your Passwordstate instances. It ensures that should anyone have access to your Web Server’s file system they will be unable to use the details of the Web.config file to access and retrieve your Password Credentials.

The process is straight forward and as outlined below. If you are unsure as to whether your existing Web.config file is already encrypted or not you can follow the steps in this previous Blog. As always, we welcome your feedback via support@clickstudios.com.au.

Further details on how to perform this encryption can be found Under Section 10 and 11 in our Passwordstate Installation Instructions.

Encrypting the Database Connection String

On your Passwordstate Web Server open a Command Prompt with administrator privileges and navigate to C:\Windows\Microsoft.NET\Framework64\v4.0.30319


Now type in aspnet_regiis.exe -pef “connectionStrings” “c:\inetpub\passwordstate” and press enter. Note that if you installed Passwordstate in a different location you’ll need to replace c:\inetpub\passwordstate with the location of your Passwordstate instance. You should see the following;


Now that you’ve successfully encrypted your Database Connection String, you’ll need to restart your Passwordstate Windows Service. To do this you can enter the following commands;

net stop “Passwordstate Service”, and,

net start “Passwordstate Service”

You should be presented with the following after running each command.


Your Passwordstate Instance is now running again with the encrypted connection string. Now you should proceed to encrypt the appSettings section of your Web.config file.

Encrypting the appSettings Section

Assuming you are still in the command prompt with administrator privileges, type in aspnet_regiis.exe -pef “appSettings” “c:\inetpub\passwordstate” and press enter. Again, if you installed Passwordstate in a different location you’ll need to replace c:\inetpub\passwordstate with the location of your Passwordstate instance. Once again, you’ll need to restart your Passwordstate Windows Service with net stop “Passwordstate Service”, and net start “Passwordstate Service”.

Your screen should look similar to the one below;


Now just exit out of command prompt and take a well earned break. You’ve just made your Passwordstate instance even more secure!

Further details on how to perform this encryption can be found Under Section 10 and 11 in our Passwordstate Installation Instructions.

Speak Your Mind

*