Introduction
In this article I will show you how to use ASP. NET to encrypt and decrypt the connection string in Web. config
Background Description
In previous blogs, I wrote many articles about ASP. NET, Gridview, SQL Server, Ajax, JavaScript, etc. In most cases, I put the connection string for the database in Web. config. It contains many sensitive information, including the user name password to connect to the database, and so on. But is it safe to keep passwords in plain text in Web. config and machine.config?
If our program is only deployed on the internal server, this should be fine. But if our program is running on a shared host, then we should increase the security level. Asp. NET 2.0 provides a protection configuration model to encrypt and decrypt sections information in Web. config. RsaProtectedConfigurationProvider: By default, the RSA public key is encrypted and decrypted.
The connection string in Web. config can be encrypted and decrypted by running the aspnet_regiis.exe command on the command line tool.
The first way
First, we encrypt and decrypt by executing aspnet_regiis.exe on the Windows command line.
Create a new Websit project in VS, open Web. config and join the database connection string, such as:
Then we follow the steps below to encrypt and decrypt the data connection string
<connectionStrings> <add name= "dbconnection" connectionstring= "Data source=rahulmittal;integrated Security =true;initial catalog=mysampledb "/> </connectionstrings >
1. Start menu >> All Programs >>microsoft Visual Studio >> Visual Studio Tools >> Visual Studio 2008 Developer Command Prompt ( If it is Windows7, right-click and run as Administrator)
2. In the Command window, enter the command ASPNET_REGIIS.EXE-PEF "connectionStrings" "C:\VisualStudio2008\Authorization"
–PEF indicates that the program was established in the form of a file system. The second "ConnectionStrings" is the name of the configuration node you want to encrypt. The third parameter named the physical path of the Web. config.
3. The successful execution of the command displays: encryption is successful.
web.config in the program will turn into something like this.
<connectionstrings configprotectionprovider= "RsaProtectedConfigurationProvider" > <encrypteddata type= "Http://www.w3.org/2001/04/xmlenc#Element" xmlns= " Http://www.w3.org/2001/04/xmlenc# "> <encryptionmethod algorithm= "HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC" /> <keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" > < encryptedkey xmlns= "http://www.w3.org/2001/04/xmlenc#" > <encryptionmethod algorithm= "Http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <keyinfo xmlns= "http://www.w3.org/2000/09/ xmldsig# "> <KeyName>Rsa Key</keyname> </keyinfo> <CipherData> < Ciphervalue>znubienowlzzc8qbzhj5f2gs9glyskwcigcjgkrgzax8a+8o eissyohhxukvaubd3jizfc5ijblgt7hnxhofhxntupyz2y6tdkjdvgdmtcgvf8z2c990zomrbjg+vxhmgnlo1vthyhgx8x/bbze1prt1+ xdpep98vhf22d+lrvi=</ciphervalue> </ cipherdata> </encryptedkey> </KeyInfo> <CipherData> <ciphervalue>todwlpd0q/b/mp14gq/5tuxcjmhhcy9a0opunv5osnrmqrztgi2h5v6sxjoeh+nc+ g9gqnkv1huxf1s7eozrrly5/ldtlxzzqmuoqlsljus9igchvi33c9xg4rwgf15tpn4n34bpqbt94n0rpskq18v9hcpzii+uo64pla+ Ykdeqhc9aqr4go3mcfuzmy2s9gsxzrbzdq0ocwbdvx8ukx2udxaysvhc9fo7u6irlpu0+hodk95y3/a==</cipHervalue> </cipherdata> </encrypteddata > </connectionStrings>
We do not have to write any code in the program to decrypt the connection string, because. NET will automatically decrypt for us. If we want to use a connection string, we can call it as usual.
String strconnection = configurationmanager.appsettings["DbConnection"]. ToString ();
If we want to decrypt it, we just need to enter Aspnet_regiis.exe-pdf "ConnectionStrings" "C:\VisualStudio2008\Authorization" in the VS Command window.
After successful execution, the decryption is displayed successfully.
Then open Web. config and we can see the decrypted string.
Now we know how to encrypt and decrypt the connection string in the file system. If we want to encrypt the default Web site running on IIS, as shown on IE, you can use the following command.
Encrypt the Web. config for the IIS default Web site
Aspnet_regiis.exe-pe "ConnectionStrings"-app "/samplewebsite"
The-PE description program is running on IIS. The second parameter named the configuration node to be encrypted. The-app is used to specify the virtual directory, and the last parameter is the virtual directory name of the program deployment.
Decrypt connectionStrings in Web. config of IIS based site
Decrypt Web. config on the IIS default Web site
ASPNET_REGIIS.EXE-PD "ConnectionStrings"-app "/samplewebsite"
Here we know how to use the command-line tool to execute the aspnet_regiis.exe command to encrypt and decrypt the Web. config. I'll show you how to encrypt and decrypt Web. config in the background code.
The second way
In the second method I will encrypt and decrypt the Web. config using RsaProtectedConfigurationProvider and Dataprotectionconfgurationprovider
First, open default.aspx and add the following code:
Open the background code and add the following namespaces:
Using system;using system.configuration;using System.Web.Configuration;
Then add the following code
string provider = "RsaProtectedConfigurationProvider";string section = " ConnectionStrings ";p rotected void page_load (object sender, eventargs e) { } Protected void btnencrypt_click (object sender, eventargs e) { Configuration confg = webconfigurationmanager.openwebconfiguration (Request.ApplicationPath); configurationsection configsect = confg. GetSection (section); if (configsect != null) { configsect.sectioninformation.protectsection (provider); confg. Save (); }} protected void btndecrypt_click (Object sender, eventargs e) { configuration config = webconfigurationmanager.openwebconfiguration ( Request.applicationpath); configurationsection&Nbsp;configsect = config. GetSection (section); if (configSect.SectionInformation.IsProtected) { configsect.sectioninformation.unprotectsection (); config. Save (); }}
When you are finished, open Web. config to add the database connection string
<connectionStrings> <add name= "dbconnection" connectionstring= "Data source=rahulmittal;integrated Security =true;initial catalog=mysampledb "/> </connectionstrings >
Now run the program and click on the Encrypt button, then open Web. config, it will be as follows:
<connectionstrings configprotectionprovider= "RsaProtectedConfigurationProvider" > <encrypteddata type= "Http://www.w3.org/2001/04/xmlenc#Element" xmlns= " Http://www.w3.org/2001/04/xmlenc# "> <encryptionmethod algorithm= "HTTP://WWW.W3.ORG/2001/04/XMLENC#TRIPLEDES-CBC" /> <keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" > < encryptedkey xmlns= "http://www.w3.org/2001/04/xmlenc#" > <encryptionmethod algorithm= "Http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <keyinfo xmlns= "http://www.w3.org/2000/09/ xmldsig# "> <KeyName>Rsa Key</keyname> </keyinfo> <CipherData> < Ciphervalue> Wagj9ddjwtnc1nmyvnqxaqqxalqzxaichaotujvtwbrziut6uk1fbelm80pnl6dc5umb8qvfhdksmgomw9cjzwotz0zty17jbgzqrqmlfw2g9lacowiil0urx jhgmjmrxhwxhfpdgwevl7aoqgvljgabxuchutatxmfgooubcr0=</ciphervalue> </cipherdata> </encryptedkey > </KeyInfo> <CipherData> <ciphervalue>qry5qnr3qxogyonpep7okeihpr/ pptsaeq2myussk7cg4kkl9upo4ryuxgbikgctsjbobqllyndcsbnyyek6bxg/ibl82g1r5j1ci8i1eyt8kidqouzyox5vtouerld4z1l+ 7wgf9wg37qah5riiefkchndjjq3dtqjxnnxzsno6ngbxsxdfqzwe/ekdvhgv3oatqsfjvmo8e5a9wvreyeeyasdhojx8j2mdy7/ Q9reipv98rtirxa==</cipHervalue> </cipherdata> </encrypteddata > </connectionStrings>
If we want to use DataProtectionConfigurationProvider for encryption and decryption, Just replace RsaProtectedConfigurationProvider with DataProtectionConfigurationProvider in your code.
Using ASP. NET to encrypt and decrypt connection strings in Web. config