20

I have written the name of my database, username and password in my web.config file as connection string.

I want to encrypt this data. How can I do it?

<connectionStrings>
  <add name="ISP_ConnectionString" connectionString="Data Source=JIGAR;
             Initial Catalog=ISP;Integrated Security=True;
             User ID=jigar;Password=jigar123;
             providerName="System.Data.SqlClient" />
</connectionStrings>
Improve this question
1

2 Answers 2

Reset to default
15

You can just use the apnet_regiis tool to do that ,just do

C:\WINDOWS\Microsoft.Net\Framework(64)\(.Net version)\aspnet_regiis -pe "connectionStrings"

for a specific application you can use the app argument -app application name, and for a specific site you can also use the site argument "-site site id".

For more details see http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx.

Note that this works for a web application only and not for a windows application.

Also note that you have to run it from a command prompt with elevated privileges ("run as administrator").

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

It's encrypting the connection string with the DPAPI key, which is specific to a machine. In a webfarm environment, will this work?
@Dhanuka Why shouldn't it?
answering to my own question,well it should work if the encryption is done in both servers separately. The scenario came to my mind was that you cannot use the encrypted webconfig file in Server A to use in server B.
@Dhanuka777 Just to clarify, when you said a "webfarm", you apparently meant to say "server farm" (as opposed to the ASP.Net WebForms framework), and I wold agree that it should work, but need to be encrypted on each machine separately, due to the fact that the encryption is done with the machine key
5

I one particular application, I call the following routine on startup:

Private Sub CheckConfigFile()
    Dim config As System.Configuration.Configuration = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None)
    Dim sec As ConfigurationSection = config.AppSettings

    If sec IsNot Nothing Then
        If sec.SectionInformation.IsProtected = False Then
            Debug.Write("Encrypting the application settings...")
            sec.SectionInformation.ProtectSection(String.Empty)
            sec.SectionInformation.ForceSave = True
            config.Save(ConfigurationSaveMode.Full)
            Debug.WriteLine("done!")
        End If
    End If
End Sub
Improve this answer

2 Comments

Encrypting it on application startup doesn't help you if someone breaks into your webserver. It should be encrypted when it's deployed.
Excellent. Rather than run this on startup, create a separate ASPX page where you can run this code as needed (right after deployment). For people with "<trust level="Medium" />", temporarily set "<trust level="Full" />" before you run it, and then revert back to "Medium" when done.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.