Code Simplified – Viral Sarvaiya

Code Simplified – Viral Sarvaiya, Web Developer Friends, dot net Developer, Sql Server Developer

How to Encrypt connection string in web.config

Posted by Viral Sarvaiya on September 10, 2009

The most sensitive information stored in web.config file can be the connection string. You do not want to disclose the information related to your database to all the users where the application is deployed. Every time it is not possible to have a private machine for your sites, you may need to deploy the site in shared host environment. To encrypt the connection string in above situation is advisable.

ASP.NET 2.0 provides in built functionality to encrypt few sections of web.config file. The task can be completed using Aspnet_regiis.exe. Below is the web.config file and <connectionStrings> section.

   1: <connectionStrings>
   2:   <add name="cn1"
   3:           connectionString="Server=DB SERVER;
   4:                             database=TestDatabase;
   5:                             uid=UID;
   6:                             pwd=PWD;" />
   7:  </connectionStrings>

Fig – (1) Connection string section of web.config file

To encrypt the connection string section follow the steps,

1. Go to Start -> Programm Files -> Microsoft Visual Studio 2005 -> Visual Tools
-> Microsoft Visual Studio 2005 Command Prompt

2. Type following command,

aspnet_regiis.exe -pef “connectionStrings” C:\Projects\DemoApplication

-pef indicates that the application is built as File System website.  The second argument is the name of configuration section needs to be encrypted. Third argument is the physical path where the web.config file is located.

If you are using IIS base web site the command will be,

aspnet_regiis.exe -pe “connectionStrings” -app “/DemoApplication”

-pe indicates that the application is built as IIS based site. The second argument is the name of configuration section needs to be encrypted. Third argument “-app” indicates virtual directory and last argument is the name of virtual directory where application is deployed.

If everything goes well you will receive a message “Encrypting configuration section…Succeeded!”

Open your web.config file and you can see that connection string is encrypted,

   1: <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
   2:   <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
   3:    xmlns="http://www.w3.org/2001/04/xmlenc#">
   4:    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
   5:    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
   6:     <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
   7:      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
   8:      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
   9:       <KeyName>Rsa Key</KeyName>
  10:      </KeyInfo>
  11:      <CipherData>
  12:       <CipherValue>Ik+l105qm6WIIQgS9LsnF8RRxQtj2ChEwq7DbHapb440GynFEoGF6Y3EM3Iw/lyDV8+P8bIsketi5Ofy9gpZlCBir7n315Q6RPbdclUo79o/LKadhX4jHFpnSIQNIF/LhwjwkLFC0=</CipherValue>
  13:      </CipherData>
  14:     </EncryptedKey>
  15:    </KeyInfo>
  16:    <CipherData>
  17:     <CipherValue>JsLrQ5S8Pq3U72nQzmSl/XlLX72GM0O3EbPLaHRNvjTDgG9seDflGMjTfO10M1s7/mPh//3MhA7pr0dNHUJ143Svhu5YXODRC6z9CkR0uyE4H7uDvTKJ8eR3m9APhXoo1sT1K3tCLHD6a2BM+gqSk9d8PzCfbM8Gmzmpjz1ElIaxu62b4cg9SNxp8o86O9N3fBl2mq</CipherValue>
  18:    </CipherData>
  19:   </EncryptedData>
  20:  </connectionStrings>

Fig – (2) Encrypted connection string section

You do not have to write any code to decrypt this connection string in your application, dotnet automatically decrypts it. So if you write following code you can see plaintext connection string.

   1: Response.Write(ConfigurationManager.ConnectionStrings["cn1"].ConnectionString);

Now to decrypt the configuration section in web.config file use following command,

For File System Application,

aspnet_regiis.exe -pdf “connectionStrings” C:\Projects\DemoApplication

For IIS based Application

aspnet_regiis.exe -pd “connectionStrings” -app “/DemoApplication”

If you want to encrypt any nested section in web.config file like <pages> element within <system.web> you need to write full section name as shown below,

aspnet_regiis.exe -pef “system.web/Pages” C:\Projects\DemoApplication

You can encrypt all the sections of web.config file except following using the method I displayed in this article,

<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>

To encrypt these section you needed to use Aspnet_setreg.exe tool.  For more detail about Aspnet_setreg.exe tool search Microsoft Knowledge Base article 329290, How to use the ASP.NET utility to encrypt credentials and session state connection strings.

Advertisements

3 Responses to “How to Encrypt connection string in web.config”

  1. umesh pandit said

    nice article,
    but u can programmatically encrypt & decrypt any part of the .config file
    here is the code

    Dim config As Configuration = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath)
    Dim configSection As ConfigurationSection = config.GetSection(“connectionStrings”)
    If configSection.SectionInformation.IsProtected Then
    configSection.SectionInformation.UnprotectSection()
    Else
    configSection.SectionInformation.ProtectSection(“dataProtectionProvider”)
    End If
    config.Save()

  2. KarmaKing said

    Great info.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: