locked
How to secure the connection string in web.config file after deployment RRS feed

  • Question

  • User1623409651 posted

    Hi,

    Is there any way to secure the connection string in web.config file after deployment. 

    Thanks

    Sunday, July 2, 2017 5:06 AM

Answers

  • User1771544211 posted

    HI Rameezwaheed,

    Rameezwaheed

    1. Creating connection string method and call in classes

    Do you mean that you want to declare the connection string as a string parameter in your application's code and use the method to get it? This way is more secure, but when you want to change the connection string, you need to modify the source code and republish it.

    Rameezwaheed

    2. placing connection string in web.config file and encrypt and decrypt it.

    I prefer this approach.

    Rameezwaheed

    secondly if we encrypt the connection string  then while calling the connection string we first need to decrypt it ?

    If you encrypt the connection string with ASPNET_REGIIS, It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code.

    string ConnString = ConfigurationManager.ConnectionStrings["conn"].ConnectionString;
    

    Best Regards

    Jean

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 6, 2017 7:34 AM

All replies

  • User197322208 posted

    You can encrypt it.

    Sunday, July 2, 2017 5:54 AM
  • User571301025 posted

    Normally, you can encrypt the connection string in web.config to fulfill your requirement.

    https://msdn.microsoft.com/en-IN/library/dx0f3cf2(v=vs.85).aspx

     

    Sunday, July 2, 2017 6:01 AM
  • User991499041 posted

    Hi Rameezwaheed,

    Is there any way to secure the connection string in web.config file after deployment. 

    You could protect sensitive information by encrypting sections of the Web.config file.

    To encrypt connection string information stored in the Web.config file

    At the Windows command line, run the ASP.NET IIS registration tool (Aspnet_regiis.exe) with the following options:
    The -pe option, passing it the string "connectionStrings" to encrypt the connectionStrings element.
    The -app option, passing it the name of your application.
    The Aspnet_regiis.exe tool is located in the %systemroot%\Microsoft.NET\Framework\versionNumber folder.
    The following code example shows how to encrypt the connectionStrings section of the Web.config file for an application named SampleApplication.

    aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"

    https://msdn.microsoft.com/en-us/library/ms178372.aspx

    https://www.aspsnippets.com/Articles/Encrypt-and-Decrypt-Connection-String-in-AppConfig-file.aspx

    Regards,

    zxj

    Monday, July 3, 2017 5:40 AM
  • User1623409651 posted

    Thanks for reply,

    May i encrypt the connection string without

    aspnet_regiis

    command or without command line . ?

    Thanks

    Monday, July 3, 2017 11:55 AM
  • User753101303 posted

    Hi,

    You mean programmatically from your own app ? Try perhaps https://www.codeproject.com/articles/1057632/programmatically-encrypt-the-connection-string-in.

    Monday, July 3, 2017 12:50 PM
  • User1623409651 posted

    Thanks PatriceSC for your reply,

    I simply need to secure the connection string which one approach will be the best.

    1. Creating connection string method and call in classes

    2. placing connection string in web.config file and encrypt and decrypt it.

    secondly if we encrypt the connection string  then while calling the connection string we first need to decrypt it ?

    Thanking you,

    Thursday, July 6, 2017 4:28 AM
  • User1771544211 posted

    HI Rameezwaheed,

    Rameezwaheed

    1. Creating connection string method and call in classes

    Do you mean that you want to declare the connection string as a string parameter in your application's code and use the method to get it? This way is more secure, but when you want to change the connection string, you need to modify the source code and republish it.

    Rameezwaheed

    2. placing connection string in web.config file and encrypt and decrypt it.

    I prefer this approach.

    Rameezwaheed

    secondly if we encrypt the connection string  then while calling the connection string we first need to decrypt it ?

    If you encrypt the connection string with ASPNET_REGIIS, It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code.

    string ConnString = ConfigurationManager.ConnectionStrings["conn"].ConnectionString;
    

    Best Regards

    Jean

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 6, 2017 7:34 AM