.NET: Encrypting a custom configuration section in app.config

The Problem

We have created a custom configuration section for our application. The business has requested that this bit of the configuration be encrypted. This encryption must be system-level, not per-user.

After reading up a bit on encrypting configuration sections in app.confg, the recommended approach was to create an Installer class that would make the appropriate Configuration API calls to encrypt the specified section. Then, have the MSI call this Installer class during the Install phase.

The problem with this approach is that it assumes that the configuration section is one of the standard configuration sections provided by the .NET framework. However, due to the way the MSI installation happens, and the way that the stuff in System.Configuration works, the Install method of the Installer class fails with a FileNotFoundException.

The Solution

The solution feels like an ugly, nasty hack. Then again, aren't most things related to Configuration and Installation on .NET?

What we found out is that since the Installer isn't spinning up an AppDomain for the app you're installing, the assembly containing the custom Configuration classes needs to be in the GAC. The GAC? Yes, the GAC. I know. Ewwww. We didn't want to GAC the entire application, or even our Core assembly, as they had way to many dependencies that would also need to be GAC'd.

What we ended up doing was extracting the custom Configuration classes to a Core.Config assembly. We then changed the MSI to install this assembly into the GAC. Finally, we changed the Installer class to perform the encryption work during the Commit phase. This ensured that the Core.Config assembly had been GAC'd by the time we called ConfigurationManager.OpenExeConfiguration(exePath), the custom Configuration classes would be available for our use.

This was our solution. Please share if you know of a better solution!


comments powered by Disqus