Azure Web Apps and Web Jobs operate on a distinct hosting model that makes conventional configuraton encryption methods, such as DataProtectionConfigurationProvider and RSAProtectedConfigurationProvider, unreliable for long-term decryption. To securely encrypt sensitive configuration data, such as connection strings and application settings, it’s recommended to use certificate-based encryption. This method ensures compatibility and robustness specifically for Azure environments.

---

Proposed Solution

1. Generating an Encryption Certificate

Using PowerShell, you can generate an encryption certificate. Execute the following commands with administrative privileges:

# Step 1: Create a self-signed certificate
$encryptionCert = New-SelfSignedCertificate -Type DocumentEncryptionCert -Subject "CN=ConfigEncryption" -KeyExportPolicy Exportable -KeySpec KeyExchange

# Step 2: Export encryption certificate in ".cer" format
Export-Certificate -Cert $encryptionCert -FilePath ".\ConfigEncryption.cer"

# Step 3: Create a password-protected certificate in `.pfx` format for decryption
$securePwd = ConvertTo-SecureString -String "StrongPassword123" -Force -AsPlainText
Export-PfxCertificate -Cert $encryptionCert -FilePath ".\ConfigEncryption.pfx" -Password $securePwd

The .cer file is used for encryption, while the .pfx file is secured using a password for decryption purposes.

---

2. Importing Certificates to Windows

Import the .cer File:

Add the encryption certificate to the local machine’s certificate store:

Import-Certificate -FilePath ".\ConfigEncryption.cer" -CertStoreLocation Cert:\LocalMachine\My

Import the .pfx File:

Add the decryption certificate into the same certificate store:

$securePwd = ConvertTo-SecureString -String "StrongPassword123" -Force -AsPlainText
Import-PfxCertificate -FilePath ".\ConfigEncryption.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $securePwd

---

3. Encrypting Web.Config or App.Config

For Web Jobs, modify the app.config file as web.config during deployment. Use the NuGet package WebConfigEncrypter to apply encryption. Then, update your configuration file with provider details, replacing the thumbprint value with the actual certificate fingerprint:

<configuration>
  <configProtectedData>
    <providers>
      <add name="Pkcs12Provider"
           thumbprint="YOUR_CERTIFICATE_FINGERPRINT"
           type="WebConfigEncrypter.Pkcs12ProtectedConfigurationProvider, WebConfigEncrypter"
           storeLocation="LocalMachine"/>
    </providers>
  </configProtectedData>
</configuration>

---

4. Encrypt Sensitive Nodes

To encrypt specific nodes like connectionStrings or appSettings in the web.config file, execute the following comand in the Visual Studio Developer Command Prompt:

aspnet_regiis -pef "connectionStrings" "absolute_path_to_web_config_file" -prov "Pkcs12Provider"

If the above command fails, ensure the required DLLs (WebConfigEncrypter.dll, System.Configuration.ConfigurationManager.dll, System.Security.Cryptography.Xml.dll) are present in the executable directory.

Once the process is successful, the configuration file will exhibit encrypted data, as shown below:

<connectionStrings configProtectionProvider="Pkcs12Provider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
    <CipherData>
      <CipherValue>EncryptedDataHere</CipherValue>
    </CipherData>
  </EncryptedData>
</connectionStrings>

---

5. Update Configuration for Azure Deployment

Before deploying to Azure, adjust the storeLocation attribute to CurrentUser in the web.config file to enable Azure to read certificates uploaded too the portal:

<add name="Pkcs12Provider"
     thumbprint="YOUR_CERTIFICATE_FINGERPRINT"
     type="WebConfigEncrypter.Pkcs12ProtectedConfigurationProvider, WebConfigEncrypter"
     storeLocation="CurrentUser"/>

---

6. Upload Certificate to Azure

1. Navigate to your Azure Web App in the portal.
2. Upload the generated .pfx file under the Settings > Certificates section.

---

7. Configure Application Settings

In Azure, add a special key-value pair in your application settings. Use WEBSITE_LOAD_CERTIFICATES as the key, and specify the certificate thumbprint, or set the value to * to load all certificates in the specified store.

---

8. Verify Functionality

After deploying the application, run tests to ensure encrypted configuration nodes are functioning correctly and sensitive data is properly protected.

---

Sumary

This method focuses on encryption that leverages certificates, ensuring secure handling of sensitive configuration data in Azure Web Apps and Web Jobs. By following this step-by-step guide, you can automate and integrate secure practices across local development and cloud deployment environments.