Reprint how to Encrypt connection string in Web. config

Reprint Original Address: https://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/

The most sensitive information stored in Web. config file can be the the connection string. Want to disclose the information related to your the users where the application is deployed. Every time it isn't possible to has a private machine for your sites, and you could need to deploy the site in shared host env Ironment. To encrypt the connection string of above situation is advisable.

ASP. 2.0 provides in built functionality to encrypt few sections of Web. config file. The task can be completed using aspnet_regiis.exe.   Below is the Web. config file and <connectionStrings> section.

  1: <connectionStrings>   2:   <add name="cn1"     3:           connectionstring="server=db Server;   4:                             database=testdatabase;    5:                             uid=uid;    6:                             pwd=pwd;" />   7:  </connectionStrings>

fig– (1) Connection string section of Web. config file

To encrypt the connection string section follow the steps,

1. Programm Files, Go to Start, Microsoft Visual Studio 2005, Visual Tools
Microsoft Visual Studio 2005 Command Prompt

2. Type following command,

Aspnet_regiis.exe-pef "ConnectionStrings" C:\Projects\DemoApplication

-PEF Indicates the application is built as File System website. The second argument is the name of the "configuration section" needs to be encrypted. Third argument is the physical path where the Web. config file is located.

If you are using the IIS Base Web site The command would be,

aspnet_regiis.exe-pe "connectionStrings"-app "/demoapplication "

-pe Indicates the application is built as IIS based site. The second argument is the name of the "configuration section" needs to be encrypted. Third argument "-app" indicates virtual directory and last argument are the name of the virtual directory where application is Deployed.

If everything goes well you'll receive a message "Encrypting Configuration section ... succeeded! "

Open your Web. config file and you can see this connection string is encrypted,

 1: <connectionstrings configprotectionprovider="RsaProtectedConfigurationProvider">2: <encrypteddata type="http://www.w3.org/2001/04/xmlenc#Element"   3: xmlns="http://www.w3.org/2001/04/xmlenc#">4: <encryptionmethod algorithm="HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC"/>5: <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">6: <encryptedkey xmlns="http://www.w3.org/2001/04/xmlenc#">7: <encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>8: <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">9: <keyname>rsa key</keyname>Ten: </KeyInfo> One: <CipherData> A: <ciphervalue>ik+l105qm6wiiqgs9lsnf8rrxqtj2chewq7dbhapb440gynfeogf6y3em3iw/lydv8+ P8bisketi5ofy9gpzlcbir7n315q6rpbdcluo79o/lkadhx4jhfpnsiqnif/lhwjwklfc0=</ciphervalue> -: </CipherData> -: </EncryptedKey> the: </KeyInfo> -: <CipherData> -: <ciphervalue>jslrq5s8pq3u72nqzmsl/xllx72gm0o3ebplahrnvjtdgg9sedflgmjtfo10m1s7/mph//3mha7pr0dnhuj143svhu5yxodrc6z9ckr0uye4h7udvtkj8er3m9aphxoo1st1k3tclhd6a2bm+ Gqsk9d8pzcfbm8gmzmpjz1eliaxu62b4cg9snxp8o86o9n3fbl2mq</ciphervalue>   -: </CipherData> +: </EncryptedData> -: </connectionStrings>

fig– (2) Encrypted connection string section

You don't have the to write any code to decrypt this connection string in your application, dotnet automatically decrypts it. So if you write following code you can see plaintext connection string.

1 Response.Write (configurationmanager.connectionstrings["cn1"). ConnectionString);

Now to decrypt the configuration section in the Web. config file use following command,

For File System application,

Aspnet_regiis.exe-pdf "ConnectionStrings" C:\Projects\DemoApplication

For IIS based application

ASPNET_REGIIS.EXE-PD "ConnectionStrings"-app "/demoapplication"

If you want to encrypt any nested sections in Web. config file like <pages> element within <system.web> Need to write full section name as shown below,

Aspnet_regiis.exe-pef "system.web/pages" C:\Projects\DemoApplication

You can encrypt all the sections of the Web. config file except following using the method I displayed in this article,

<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>

To encrypt these sections you needed the use aspnet_setreg.exe tool. For more detail on aspnet_setreg.exe tool Search Microsoft knowledge Base article 329290, how to use the ASP. NET utility to encrypt credentials and session state connection strings.

Reprint how to Encrypt connection string in Web. config