locked
How to encrypt connection strings in web.config when publishing to server RRS feed

  • Question

  • User1395831461 posted

    In my web.config I have connection strings specifying database names, userids and passwords.  I noticed that after publishing to the server I can go to the inetpub folder on the server open the web.config and can see the userid and password etc in plain text.

    How should l go about encrypting the connection string information when publishing my site to the server?  Am I right in thinking it would be common practice to do so?

    If the question is dumbass please excuse I'm still a bit of a newbie...thanks in advance for any help, Roscoe

    Thursday, October 10, 2013 12:18 PM

Answers

  • User1508394307 posted

    aspnet_regiis (from C:\Windows\Microsoft.NET\Framework\version) has few keys such as -pe, -pef to encrypt configuration sections. Using that tool you can encrypt the connectionStrings section in Web.config. Reed more at http://msdn.microsoft.com/en-us/library/ms998280.aspx

    The tool has to be run directly on server and configuration will be overwritten if you publish solution once again after that. So, you either can run that tool once and do not use publish function (perform manual upload of updated files) or use the flow explained at 

    http://randomdotnetnuggets.blogspot.com.au/2013/05/publishing-encrypted-connection-strings.html

    You can also consider to use integration authentication, so your config will not have password and loginname, example:

    <add name="NorthwindConnection"
    connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, October 10, 2013 12:58 PM

All replies

  • User1508394307 posted

    aspnet_regiis (from C:\Windows\Microsoft.NET\Framework\version) has few keys such as -pe, -pef to encrypt configuration sections. Using that tool you can encrypt the connectionStrings section in Web.config. Reed more at http://msdn.microsoft.com/en-us/library/ms998280.aspx

    The tool has to be run directly on server and configuration will be overwritten if you publish solution once again after that. So, you either can run that tool once and do not use publish function (perform manual upload of updated files) or use the flow explained at 

    http://randomdotnetnuggets.blogspot.com.au/2013/05/publishing-encrypted-connection-strings.html

    You can also consider to use integration authentication, so your config will not have password and loginname, example:

    <add name="NorthwindConnection"
    connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, October 10, 2013 12:58 PM
  • User71929859 posted

    smirnov has give you a good reply on how to encrypt the sections in the web.config file.

    As a side note, keep in mind that web.config file is highly secured that you usually don't need to worry about users accessing it.

    Tuesday, October 15, 2013 4:21 AM