|
Many of us developers we create our connection strings in the web.config in clear format. Although the contents of the web.config would not be visible to a browser, they would be visible to anyone who have access to the server such as administrators at the hosting company. This is a problem. They can view your connection string and connect to your database. They can extract confidential data’s of your site members, clients and even delete you data’s. There are several steps you can take to secure your data’s. First step is to encrypt your connection string. ASP.NET 2.0 offers an encryption utility to hide the connection string information within the web.config file. The information will be automatically decrypted by ASP.NET when the connection string is requested by an ASPX page.
The encryption needs to be performed on the hosting server that is actually used for public deployment because the default key used to perform the encryption derives from the machine where the application will be run. So, even if you successfully encrypt the key on your development machine, once you deploy the key to another machine, ASP.NET won’t be able to decrypt it. You can perform an encryption from the command prompt by following these steps:
1. Close your Visual Studio
2. Click Start Run cmd and change directory to the C:\WINDOWS\Microsoft.net\Framework\v2.0.50727 (depending on what version your using this may differ).
3. If C:\inetpub\wwwroot\MyWebsite is the root of your site, enter the following line:
aspnet_regiis -pef connectionStrings c:\inetpub\wwwroot\MyWebsite
The command line tool for encrypting connection strings can also take a virtual path syntax (the path in IIS metabase) instead of your specifying your path to the web.config file, as follows:
aspnet_regiis -pe connectionStrings -app /MyWebsite
After you have completed the above steps open your web.config file. You web.config will look like this:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings/>
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>z/ltjvphw0Qzgy+CKQjmfjcmtAC5YHik3LDRbxBR6D6Bnr45cr/lwf7DeK8p6tINfpNBUs
tRxt8VzkN/NtWl+qpC8vm8I7OUk4NCRBKdTSgUskoi884OHBzElOM+5TyrQ/mUo1ciza81iAAWW2A48UQan
HJqilPJGR+T0BqI6Oc=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>RQM6/Y4DU+tiHQ2btu/Y6/jOuqzcRxffB4sIL7KDrKI1kBqNA9cas6+3V5tHwA...
PS0cHHOjo0wrI5GxJ517LNhCrWInJRfXJ7jNvx8jK/66wtaU</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
...
</configuration>
The connection data will be decrypted automatically when needed by ASP.NET. However, you can decrypt the connection information manually if you need to make modifications, such as changing the password, by using the following line:
aspnet_regiis -pdf connectionStrings c:\inetpub\wwwroot\MyWebsite
To repeat, the encryption process employs a key that is based on the machine where the encryption algorithm is executed. Moving a web.config to another machine will make the web.config undecryptable, so it is recommended that you encrypt your connection strings after you deploy your Web site to the production server.
If you have any questions or comments feel free to post it in our forums section.
|