My DPAPI Example

In a recent posting to the aspnet-security group at ASP Advice, Julie Lerman asked:

Since the site is hosted on someone else’s server, I don’t believe that I can use DPAPI to encrypt the connection strings

Actually, you can, and I use DPAPI on a number of sites in shared hosting environments.  I typically use the machine store as the data protection store, rather than the user store, but that’s a personal habit when looking at the shared hosting environment.

One downside to the machine store is that anyone who has access to the same server can decrypt your application settings, unless you set an entropy value.  In my sample project, I set the entropy when the DPAPI helper is instantiated.

I mentioned I had a small project I use to encrypt connection strings using Carl Franklin’s DPAPI helper.  All I do is upload two DLLs and my ASPX to the site I’m working on, enter the connection string (or whatever), click Encrypt, and copy the output to the web.config.  When I’m done, I delete the DLLs and page so no one accidentally finds them.  You can find my little project at

To use my little project:

  1. Download and unzip Carl’s DPAPI helper from
  2. Download my dpapi example from  Unzip it to c:\inetpub\wwwroot\dpapi.
  3. Create an IIS application named dpapi (address will be http://localhost/dpapi) that points to c:\inetpub\wwwroot\dpapi. 
  4. Open the solution file in VS
  5. Add a reference to the DPAPI Helper DLL, found at <install>\DPAPIHelper\bin\DPAPIHelper.dll.  Make sure to use the dpapihelper.dll!  There is also a dpaphelper.dll (missing an ‘i’ in the name), and I’m not sure what that’s for.
  6. Recompile the project.
  7. Deploy the dpapihelper.dll and dpapi.dll to the site’s BIN folder, and dpapi.aspx to the site’s root folder.
  8. Load the dpapi.aspx page, and encrypt on!

Drop me a line or leave comments with any Q’s.

<update 2005-06-16>To use the DPAPI encrypted strings in your application, you need to include two lines of code, one is the constructor that starts “DIM dp…”, and the other is the dp.decrypt method call.  In the constructor, there is a short string passed in as a function argument.  This argument(sometimes called an “initialization vector“ or “secondary entropy“ or just “key“, I’m not 100% sure of the exact correct term so anyone works for me) has to be exactly the same in your app as in the DLL used to encrypt your strings.  Otherwise, you won’t be able to properly decrypt the information in your app.  I recommend changing the entropy if you use this example, and use a different one for each site.  Remember also to leave the DPAPIHelper.dll on your site if you plan to decrypt the encrypted values.</update>