Encrypting Connection Strings

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

39.4. Encrypting Connection Strings

Although best practices state that you should use Windows authentication and integrated security wherever possible, this is not always the case; sometimes you have to resort to specifying a user ID and password in a connection string. It is recommended that this information not be hard-coded into your application, because it can easily be extracted from the assembly. As such, this information needs to be either specified by the users each time they use the system, or added to the connection string in the configuration file. The upshot of this is that you need a mechanism for encrypting configuration sections.

This walkthrough shows you how to encrypt a section of a configuration file for a web application, StagingWebsite, which has a web.config file as follows:

<?xml version="1.0"?>
<configuration>
    <connectionStrings>
        <add name="AdventureWorksConnectionString" connectionString="Data Source=
.sqlexpress;Initial Catalog=AdventureWorks;Integrated Security=True"
             providerName="System.Data.SqlClient" />
    </connectionStrings>
    <!--
        ...
    -->
</configuration>

Using the command prompt, execute the following commands in sequence, replacing UserName with the name of the account that the web application will run as (for example, the AspNet account):

cdWINDOWSMicrosoft.NETFrameworkv2.0.50739

aspnet_regiis -pa "NetFrameworkConfigurationKey" "UserName"

aspnet_regiis -pe "connectionStrings"-app "/StagingWebsite"

Executing these commands modifies the web.config file as follows (if you get an error saying that the RSA key container was not found, you may need to execute 'aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp' to create the key container):

<?xml version="1.0"?>
<configuration>
 <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
   xmlns="http://www.w3.org/2001/04/xmlenc#">
   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
     <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <KeyName>Rsa Key</KeyName>
     </KeyInfo>
     <CipherData>
          <CipherValue>Y4Be/ND8fXTKl3r0CASBK0oaOSvbyijYCVUudf1AuQl
pU2HRsTyEpR2sVpxrOukiBhvcGyWlv4EM0AB9p3Ms8FgIA3Ou6mGORhxfO9eIUGD+M5tJSe6wn/
9op8mFV4W7YQZ4WIqLaAAu7MKVI6KKK/ANIKpV8l2NdMBT3uPOPi8=</CipherValue>
     </CipherData>
    </EncryptedKey>
   </KeyInfo>
   <CipherData>
        <CipherValue>BeKnN/kQIMw9rFbck6IwX9NZA6WyOCSQlziWzCLA8Ff/JdA0W/dWIidnjae1
vgpS8ghouYn7BQocjvc0uGsGgXlPfvsLq18//1ArZDgiHVLAXjW6b+eKbE5vaf5ss6psJdCRRB0ab5xao
NAPHH/Db9UKMycWVqP0badN+qCQzYyU2cQFvK1S7Rum8VwgZ85Qt+FGExYpG06YqVR9tfWwqZmYwtW8iz

r7fijvspm/oRK4Yd+DGBRKuXxD6EN4kFgJUil7ktzOJAwWly4bVpmwzwJT9N6yig54lobhOahZDP05gtk
Lor/HwD9IKmRvO1jv</
   CipherValue>
   </CipherData>
  </EncryptedData>
 </connectionStrings>
    <!--
        ...
    -->
</configuration>

As you can see from this example, the connection string is no longer readable in the configuration file. The commands you executed did two things. Ignoring the first command (because it simply changes the directory so you can access the asp_regiis executable), the second command permits access to the key container NetFrameworkConfigurationKey for the user Nick. This key container is the default container for the RSAProtectedConfigurationProvider, which is specified in the machine.config file. In order for your application to be able to decrypt data from the configuration file, the user that the application is running as must be able to access the key container. To determine the identity of this user, execute the following command:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

The third command encrypts the connectionStrings section of the configuration file for the web application StagingWebsite. Other sections of the configuration file can also be encrypted using the same command. If at some later stage you need to decrypt the configuration section, execute the same command, but with -pd instead of -pe. For example:

aspnet_regiis -pd "connectionStrings" -app "/StagingWebsite"

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Encrypting Connection Strings

Create new playlist

Sign In

Sign Up

39.4. Encrypting Connection Strings

Table of Contents for
Encrypting Connection Strings