IMPORTANT: This version of Sitefinity CMS is out of support and the respective product documentation is no longer maintained and can be outdated. Use the version selector to view a supported product version.

Administration: Encrypt sensitive data in configurations

Sitefinity CMS enables you to encrypt sensitive data located in the system configurations. For example, you can encrypt passwords or secret keys. You configure encryption options per configuration section. The administrative backend UI (Administration -> Settings -> Advanced) exposes an option to encrypt settings, which are considered sensitive data. This functionality is available via the Show encryption options button, located in the upper right-hand corner of each configuration section, for example:

Clicking the button displays the persistence options for each applicable configuration setting:

Out of the box, Sitefinity CMS supports the following built-in options to persist configuration values:

No encryption
The value is persisted in plain text.
This is the default option.
Encrypted value
The value is encrypted with the default Sitefinity CMS encryption algorithm, and the encrypted value is persisted. For example:

NOTE: When retrieving a configuration setting value via the Sitefinity CMS Configurations API, you do not need to decrypt the value yourself - Sitefinity CMS will decrypt the value internally for you.
Key to app setting
Using this option instructs Sitefinity CMS to look for the value of the configuration setting inside the web.config <appSettings> section, instead of persisting it in the default configuration location. Use this option if you want to take control over the encryption of the values yourself, for example leverage the default ASP.NET mechanism for encrypting web.config sections. For more information, refer to this MSDN article: Encrypting a Web Configuration Section. Unlike the first two modes, when using Key to app setting option, you do not enter the desired configuration setting value in Sitefinity CMS, but you specify a key name instead. You can use some unique prefix when coming up withthe key name, so it's easily distinguishable that this is not a configuration value, but a key name. For example:

Sitefinity CMS will use this key to look for the value of the setting inside the web.config <appSettings> section. Then you must manually add that key and the desired configuration value inside the web.config <appSettings> section as a key-value pair. For example:

Next: HTML sanitization

Was this article helpful?

Yes No

Would you like to submit additional feedback?

Your feedback about this content is important

How helpful is this article?

Very helpful Somewhat helpful Not helpful

How can we improve this article?(Optional)

Fix typos or links

Fix incorrect information

Add or update code samples

Add or update illustrations

Add information about...

Send feedback Cancel