UiPath Orchestrator Guide

Encrypting Web.config Sections

The Web.config file contains sensitive information that one may want to secure. It is possible to encrypt indicated sections in this file with the help of the Aspnet_regiis.exe tool.

Important!

Once encrypted, the data cannot be changed by directly editing the Web.config file, nor from IIS. It must be decrypted and then re-encrypted.

The EncryptionKey which is stored in Web.config, in the secureAppSettings section, is used to encrypt and/or decrypt passwords for credential assets and Robot credentials. It is automatically generated when you first install Orchestrator.

This section can also be encrypted using the Aspnet_regiis.exe tool, thus ensuring that nobody can use the key to decrypt the information you store in Orchestrator.

To encrypt the aforementioned section of the Web.config file, perform the following steps AFTER installing Orchestrator:

  1. Open the Command Prompt.
  2. Change the directory to the location of the Aspnet_regiis.exe tool. This is usually located in %SystemRoot%\Microsoft.NET\Framework\versionNumber. For example: cd %SystemRoot%\Microsoft.NET\Framework\v4.0.30319.
  3. Add the following command aspnet_regiis -pe "secureAppSettings" -site "UiPathOrchestrator2017.1" -app "/" -prov "RsaProtectedConfigurationProvider".
    Where:
    • -pe - indicates which configuration section should be encrypted.
    • -site - represents the site of the virtual path specified as the value of the -app argument. Change the value of this argument ("UiPathOrchestrator2017.1") if your instance’s name is different. If this is not specified, the default web site is used.
    • -app - encrypt at this virtual path. It must begin with a forward slash. If the value is just '/', then it points to the root of the site.
    • -prov - the library used to encrypt the secureAppSettings. You can use "RsaProtectedConfigurationProvider" or “DataProtectionConfigurationProvider” as values for this argument. The first option uses the RSA cryptosystem, while the latter uses DPAPI. We recommend using the RSA one as it provides more flexibility.

For more information on the Aspnet_regiis.exe tool, please run the following command: aspnet_regiis --help.