5

I have the following appsettings.json inside my asp.net core MVC web application:-

{
  "ConnectionStrings": {
    "DefaultConnection": "Server=(localdb)\\ProjectsV13;Database=LandingPage;Trusted_Connection=True;"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "AllowedHosts": "*",
  "SMTP": {"
    "pass": "************"
  }
}

where i am storing an smtp password + when i publish the application to a shared host provider, i will add an sql server username and password inside the appsettings.json's connection string.

so my question is how i can encrypt sections inside my appsettings.json hosted inside a remote shared hosting provider inside IIS? i am fine with keeping the password inside visual studio project, but i want to encrypt the hosted appsettings.json? is this possible?

Thanks

Improve this question
2
  • Similar Question on SO Commented Jun 24, 2020 at 16:40
  • @शेखर thanks for the link, but it did not mention how we can encrypt sections of the appsettings.json Commented Jun 24, 2020 at 18:28

1 Answer 1

Reset to default
5

how i can encrypt sections inside my appsettings.json hosted inside a remote shared hosting provider inside IIS? i am fine with keeping the password inside visual studio project, but i want to encrypt the hosted appsettings.json? is this possible?

First, you need to encrypt the password in some way. Here you have a lot of choices.

The official recommendation is to use Data Protection like this:

string encrytedStr =  _protector.Protect("Unencrypted string");

Then, in your project, you will find an appsettings.Development.json file under the appsettings.json file.

By default, the variables used in the development environment are stored in appsettings.Development.json,while the variables used in the production environment are stored in in the appsettings.json file.

So you can put the encrypted content in the appsettings.json file, and put the unencrypted password in the appsettings.Development.json file.

And ensure that their key in json are the same, but the value one is encrypted and the other is unencrypted.

Then, in the controller that calls the password, inject three services of DataProtection, IHostingEnvironment and IConfiguration, and then judge whether the environment is a production or development environment before obtaining the value, and then decide whether to decrypt the value.

using Microsoft.AspNetCore.DataProtection;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration; 

namespace WebApplication_core_new.Controllers
{
    public class DefaultController : Controller
    {
        private readonly string _environmentName;
        private readonly IConfiguration _configuration;
        private readonly IDataProtector _protector;
        public DefaultController(IHostingEnvironment hostingEnvironment, IConfiguration configuration, IDataProtectionProvider provider)
        {
            _protector = provider.CreateProtector(GetType().FullName);
            _environmentName = hostingEnvironment.EnvironmentName;
            _configuration = configuration;
        }

        public IActionResult Index()
        {
            // here you can get the data in appsetting.json
            string data = _environmentName == "Development" ? _configuration["MySercet"] : _protector.Unprotect(_configuration["MySercet"]);
            return View();
        }
    }
}

In appsetting.json file:

{
  //... 
  "MySercet": "Encrypted string"
}

In appsetting.Development.json file:

 {
      //... 
      "MySercet": "Unencrypted string"
 }
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

thanks for the reply, but i am not sure how i encrypt the password? when we use to work with web.config we use this command ASPNET_REGIIS... to encrypt part of the web.config..so can we do so in the appsettings.json?
@testtest, no ,we can't. ASPNET_REGIIS... can only be used in .NET Framework not core. As for the encryption method, Data Protection is the officially recommended option, I think you can try it.
thanks for the reply, but what do you exactly mean by Data Protection is the officially recommended option,
@testtest, It means that the encryption method of Data Protection is described in official documents:learn.microsoft.com/en-us/aspnet/core/security/data-protection/…, so you can try it.
Bad example. Doesnt answer question. How can you use IDataProtectionProvider in Startup ?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.