ASP.NET Core 5.0 - AppSettings Encryption

Ken Haggerty
Created 08/02/2021 - Updated 08/07/2021 01:19

This article will describe app settings' email account passwords and connection string encryption. I will assume you have downloaded the ASP.NET Core 5.0 - SMTP Settings Tester Project. Registered users can download the source code for free at Manage > Assets.

SMTP Settings Tester Project and Article Series

This project implements Bootstrap v5, Bootstrap Native, and the KenHaggerty. Com. SingleUser NuGet package which provides log in and log out pages for a single user to access the Admin pages. jQuery has been removed. I created a topic, ASP.NET Core 5.0 - SMTP Settings Tester Project for discussions. More details and screenshots at ASP.NET Core 5.0 - SMTP Settings Tester Project. The details page includes the version change log.

How does encryption work?

Encryption is the process of taking plain text, like a text message or email, and scrambling it into an unreadable format - called “cipher text.” This helps protect the confidentiality of digital data either stored on computer systems or transmitted through a network like the internet. When the intended recipient accesses the message, the information is translated back to its original form. This is called decryption. To unlock the message, both the sender and the recipient have to use a “secret” encryption key - a collection of algorithms that scramble and unscramble data back to a readable format. Advanced Encryption Standard (AES) is the U.S. government standard as of 2002. AES is used worldwide. See What is encryption and how does it protect your data?.

I developed a AesCrypto class and an AES Cipher demo to encrypt and decrypt SQL Server connection strings. KenHaggerty.Com and projects which implement AesCrypto can also encrypt and decrypt email account passwords. The SMTP Settings Tester Project does not require SQL Server but includes an empty ApplicationDbContext and an encrypted DefaultConnection in app settings to demonstrate encryption for SQL Server ConnectionStrings. The AesCrypto class includes public static readonly properties CipherKey and CipherIV. Cipher text requires the same key and iv to decrypt back to plain text.

Services.Utilities.AesCrypto.cs:
    /// <summary>
    /// The default Key property used to encrypt/decrypt strings.
    /// </summary>
    /// <remarks>
    /// This Key is used for demonstration purposes. You should generate a new Key then delete this remark.
    /// </remarks>
    public static readonly string CipherKey = "xafmg2H0bLk2kZc0PvklMQ==";
    /// <summary>
    /// The default initialization vector (IV) property used to encrypt/decrypt strings.
    /// </summary>
    /// <remarks>
    /// This IV is used for demonstration purposes. You should generate a new IV then delete this remark.
    /// </remarks>
    public static readonly string CipherIV = "VcCvRGkh9Z3NyN/09/Cspg==";

Use the AES Cipher at Demos/AESCipher in the project or Demo.KenHaggerty.Com - AES Cipher to generate the new Key and IV.

AES Cipher
AES Cipher Mobile

Update app settings with the encrypted password and set PasswordEncrypted to true.

"EmailSettings": {
  "Configured": true,
  "Timeout": 30000, // default 120000 = 2 minutes
  "MailServer": "mail.YourDomain.com",
  "MailPort": 8889,
  "SenderName": "Your Domain Support",
  "SenderEmail": "sender@YourDomain.com",
  "Password": "IJnsPDwDz6vGiglMR4UDL3jWPZiTX1qgvz0b+QzHNbI=",
  "PasswordEncrypted": true,
  "BannerBackcolor": "#FFFF00",
  "BannerColor": "#FFA500",
  "BannerText": "Your Domain",
  "EmailSignature": "Support",
  "SupportName": "Support",
  "SupportEmail": "support@YourDomain.com",
  "AdminEmail": "admin@YourDomain.com"
},\

The Password is decrypted before the email is configured and sent.

var password = _emailSettings.Password;
if (_emailSettings.PasswordEncrypted)
    password = AesCrypto.DecryptString(AesCrypto.CipherKey, AesCrypto.CipherIV, password);
From Quickstart.txt

AES Cipher Demo. SQL SERVER IS NOT REQUIRED.
The default SQL connection string is encrypted to demonstrate added security for production environments.

appsettings.json:
  "ConnectionStrings": {
    // Set connectionStringEncrypted in Startup.cs to false to use plain text. See Quickstart.txt.
    //"DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=SmtpSettingsTester;Trusted_Connection=True;MultipleActiveResultSets=true;"
    // Remove the escape character (\\ to \) before encryption.
    "DefaultConnection": "4NlMUylxwA6nt/RTFWfFcGzhZtm9+Efbl2VJzoOywO73SkrzohRuUNX6wOud6YF1Ei/yoeuMKI1BNa49WJOhXMbDdw5rASxb2lPz3dvdNFXZq45mncouX8PMFbagYfIw9B7sfeySC7EWbUwtDdO2MBErbPpilYwJ6FWVVk5rTxQ="
  }

The DefaultConnection is decrypted if the Startup.connectionStringEncrypted is true.

// Set to false to use plain text for appsettings.json's connection string. See Quickstart.txt.
private readonly bool connectionStringEncrypted = true;
...

public void ConfigureServices(IServiceCollection services)
{
    ...
    var connectionConfigured = Configuration.GetValue<bool>("ConnectionConfigured");
    if (connectionConfigured)
    {
        var defaultConnection = Configuration.GetConnectionString("DefaultConnection");
        if (connectionStringEncrypted)
            defaultConnection = AesCrypto.DecryptString(AesCrypto.CipherKey, AesCrypto.CipherIV, defaultConnection);

        services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(defaultConnection));
    }
    ...
}

Article Tags:

Email Json Validation

Comment Count = 0

Please log in to comment.

Login Register
Logged in users receive web notifications.
Web Notifications