Crypt.config.bat is a command-line tool (Windows batch script) that use the .NET Framework's aspnet_regiis.exe utility to:
- encrypt or decrypt sensitive data in the application configuration (.config) files;
- create or delete RSA key containers;
- grant or revoke access to the RSA key containers for userss or groups;
- export or import RSA keys to or from files.
Crypt.config.bat can encrypt any .config files, including web.config, app.exe.config, or custom-named files.
Crypt.config [OPERATION] [SWITCHES]
Encrypt a section in a .config file (default).
Decrypt a section in a .config file.
Create an RSA key container.
Delete an RSA key container.
Export RSA keys to a file.
Import RSA keys from a file.
Grant access to RSA key container to user/group.
Remove access to RSA key container from user/group.
Show runtime parameters (for debugging purposes).
Display license information.
Print version information.
Print this help information.
Name of configuration section in .config file(s) to be encrypted or decrypted. Default value: 'secureAppSettings'. Required for operations: encrypt, decrypt.
Name(s) or mask(s) used identify the configuration file(s) to be processed. Separate multiple values by colons (:). Name(s) of the file(s) will be appended to the folder (see description of the '/dir' switch) to build the full path(s). If not specified, all files with extension '.exe.config' found in the folder identified by the '/dir' switch will be processed along with the 'web.config' file. Default value: *.exe.config:web.config. Optional for operations: encrypt, decrypt.
Name(s) or mask(s) used identify the configuration file(s) to be excluded from processing. The value of this switch uses the same format as the value of the '/include' switch. Optional for operations: encrypt, decrypt.
Path to the folder holding configuration file(s) to be processed. If not specified, the folder hosting this batch script will be used. Optional for operations: encrypt, decrypt, export, import.
Name of the RSA key container. Required for operations: create, delete, export, import, grant, revoke.
Name of the RSA cryptographic provider defined in the .config file's 'configProtectedData\providers' section. If not specified, the default provider set in the 'configProtectedData' section's 'defaultpProvider' attribute will be used. Optional for operations: encrypt.
Name or path to the export/import file holding the RSA key. If the key is missing, the name will be generated from the name of the RSA key container specified via the '/container' switch (it will have the '.xml' extension). If the key name contains a folder information -- detected by the presense of the backslash () character -- it will be left as is; otherwise, the name of the folder identified by the '/dir' switch or the default folder name will be added at the beginning of the key name to generate the absolute path. Optional for operations: export, import.
Name of user or group account that will have access to the RSA key container granted/revoked. To specify multiple account names, separate them by colons (:), e.g. /account:"NT AUTHORITY\Network Service:NT AUTHORITY\Local Service". Default value: NT AUTHORITY\NETWORK SERVICE. Required for operations: grant, revoke.
When this switch is set, a backup of the configuration file(s) to be processed will be created before running the encryption/decryption operation. If the switch does not have a value, only configuration file(s) will be processed; otherwise, in addition to the configuration file(s) files identified by the switch will be processed as well (this could be helpful when configuration files reference sections holding sensitive settings from external files). The value of this switch uses the same format as the value of the '/include' switch. If a generated backup file name points to an existing file, the file will be overwritten. Optional for operations: export, import.
File extension (such as '.txt') that will be used for naming backup files. If this switch is set, it will turn the 'backup' switch on as well. Default value: .bak. Optional for operations: export, import.
When this switch is set, the script will print important runtime parameters.
When this switch is set, informational messages non-essential for the intended operaytion will not be displayed. Error messages may be displayed regardless.
Crypt.config encrypt /section:myAppSettings /provider:myRsaProv
Encrypts section 'myAppSettings' in all .exe.config and web.config files found in the same directory from which the script runs using the provider named 'myRsaProv'.
Crypt.config encrypt /section:myAppSettings /dir:"C:\Program Files\MyApp" /include:MyApp.exe.config
Encrypts section 'myAppSettings' in the MyApp.exe.config file located in the 'C:\Program Files\MyApp' folderusing the default provider (per configuration file).
Crypt.config decrypt /section:myAppSettings /dir:. /backup:"db.config:secure*.config"
Decrypts section 'myAppSettings' in all .exe.config and web.config files found in the current directory using a default provider. Before performing the operation, it will copy each affected file to a backup file with the .bak extension. It will also back up external files (supposedly referenced by the configuration files): 'db.config' and all files matching the 'secure*.config' mask.
Crypt.config create /container:myRsaKey
Creates an RSA key container named 'myRsaKey'. The key will be exportable, so it can be imported on other machines to allow decryption of the same encrypted settings.*
Crypt.config delete /container:myRsaKey
Deletes the RSA key container named 'myRsaKey'.
Crypt.config grant /container:myRsaKey /account:.\MyAppPoolUsers
Grants access to the RSA key names 'myRsaKey' to a local group called 'myAppPoolUsers'.
Crypt.config revoke /container:myRsaKey /account:.\MyAppPoolUsers
Revokes access to the RSA key names 'myRsaKey' from a local group called 'myAppPoolUsers'.
Crypt.config export /container:myRsaKey /key:myRsaKey.txt
Exports RSA key from container named 'myRsaKey' to the 'myRsaKey.txt' file in the current directory.
Crypt.config import /container:myRsaKey /key:myRsaKey.txt
Imports RSA key from the 'myRsaKey.txt' file in the current directory into a new container named 'myRsaKey'.
Use the following command to display this help info one echo screen at a time:
Crypt.config /? | more
For a detailed example of setting up encryption and using it from a C# application see this sample.
You can hard code required switch values in your copy of the Crypt.config.bat file (see the INITIALIZE RUNTIME DEFAULTS section of the batch file).