none
encrypting DB connection string in web.config causes deployed website to fail. RRS feed

  • Question

  • Hello,

    I'm trying to encrypt the database connection string in the web.config file of my web application. I use the following command from a command prompt:

    aspnet_regiis -pef "connectionStrings" <path_to_web.config>

    This seems to work in my dev environment and also on the deployment server (i.e. the connection string is encrypted and the website still runs and is able to hit the database).

    How, when I encrypt the connection string in my dev environment and then attempt to deploy, I get this error:

    I want to avoid having to encrypt the connection string on the server as an extra step after every deploy. Obviously, encrypting it on my dev environment (as a one time thing) before deployment doesn't work. There must be a way of making encryption a part of the deployment process (as opposed to an extra step I manually have to carry out).

    Here is the publish profile for deploying to the server:

    <?xml version="1.0" encoding="utf-8"?>
    <!--
    This file is used by the publish/package process of your Web project. You can customize the behavior of this process
    by editing this MSBuild file. In order to learn more about this please visit http://go.microsoft.com/fwlink/?LinkID=208121. 
    -->
    <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
    <ItemGroup>
    <!-- <ExcludeFromPackageFolders Include="some path">
    <FromTarget>Excluding folders because ...</FromTarget>
    </ExcludeFromPackageFolders>-->
    <ExcludeFromPackageFiles Include="..\Web\**\*.js">
    <FromTarget>Javascript is bundled into app.js</FromTarget>
    </ExcludeFromPackageFiles>
    </ItemGroup>
      <PropertyGroup>
        <WebPublishMethod>FileSystem</WebPublishMethod>
        <LastUsedBuildConfiguration>Release</LastUsedBuildConfiguration>
        <LastUsedPlatform>Any CPU</LastUsedPlatform>
        <SiteUrlToLaunchAfterPublish />
        <LaunchSiteAfterPublish>True</LaunchSiteAfterPublish>
        <ExcludeApp_Data>True</ExcludeApp_Data>
        <publishUrl>\\acm3\$RiskAlive</publishUrl>
        <DeleteExistingFiles>True</DeleteExistingFiles>
      </PropertyGroup>
      <Target Name="CustomCollectFiles">
        <ItemGroup>
          <_JavaScriptFiles Include="..\Web\dist\**\*" />
          <FilesForPackagingFromProject Include="%(_JavaScriptFiles.Identity)">
            <DestinationRelativePath>dist\%(RecursiveDir)%(Filename)%(Extension)</DestinationRelativePath>
          </FilesForPackagingFromProject>
        </ItemGroup>
        <ItemGroup>
          <_FontFiles Include="..\Web\fonts\**\*" />
          <FilesForPackagingFromProject Include="%(_FontFiles.Identity)">
            <DestinationRelativePath>fonts\%(RecursiveDir)%(Filename)%(Extension)</DestinationRelativePath>
          </FilesForPackagingFromProject>
        </ItemGroup>
      </Target>
    <PropertyGroup>
    <CopyAllFilesToSingleFolderForPackageDependsOn>
    CustomCollectFiles;
    ;
    </CopyAllFilesToSingleFolderForPackageDependsOn>
    <CopyAllFilesToSingleFolderForMsdeployDependsOn>
    CustomCollectFiles;
    ;
    </CopyAllFilesToSingleFolderForMsdeployDependsOn>
    </PropertyGroup>
    </Project>

    • Moved by CoolDadTx Tuesday, August 9, 2016 5:39 PM ASP.NET related
    Monday, August 8, 2016 5:49 PM

All replies

  • Generally Webtech related questions are better asked on the proper main Forum:

    http://forums.asp.net/

    A simple guess would be: You did not provide the key to decrypt it.
    The problem with any encryption is, it is only as save as the place you store the key at/how save it is to exchange the Key. After that it can be worse then hashing.

    Asynchronous encprytion mostly is used for the Key Exchange problem, not the to actually encrypt the data.

    Monday, August 8, 2016 9:20 PM
  • Thanks both, but I'm still getting the same error after following the steps in that article:

    Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: Bad Data.

    At this line in web.config:

    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element

    Tuesday, August 9, 2016 5:27 PM
  • This question needs to be posted in the ASP.NET forums (http://forums.asp.net ).  AFAIK the encryption is tied to the machine it is run on because it uses a per-machine entry from the registry to ensure that even if someone gets access to the file, it cannot be decrypted.  Of course if you're using RSA with an exported key (as mentioned in the article) then that works around it.

    But I really question the benefit of encrypting the conn string on a web app. Unless someone gets physical access to your server then the config file is not accessible (IIS will refuse to return this file under any circumstances). If they have physical access to your server then encrypting the string doesn't help you because they can easily connect a debugger to the process and see the connection string (or any data) that is being sent.

    The ASP.NET folks will be better able to point you in the right direction.

    Tuesday, August 9, 2016 5:39 PM