ecuring Connection Strings using Encryption:

Introduction: Connection String allows web application to connect to database store. What could be the best place to store connection strings in an ASP.NET Website project. Configuration file ie Web.Config file. Connection String is stored in Configuration file to make it easy to change without requiring a re-compile of the application. But the problem is Web.Config is a plain text file and Connection String may contain sensitive information like Database server name, UserId, Password etc.

Solution is to encrypt the Connection String section of Web.Config file by using aspnet_regiis.exe command line tool. ASP.NET 2.0 introduced Protected Configuration model that allows you to encrypt data using two Protected Configuration Providers. They are: o RSAProtectedConfigurationProvider: This is the default provider and uses the RSA Public Key Encryption algorithm to encrypt and decrypt data. o DataProtectionConfigurationProvider: This provider uses Windows Data Protection Application Programming Interface (DPAPI) to encrypt and decrypt data Lets explore how to achieve the task: Step 1: Add <connectionStrings> element in the <configuration> section of Web.Config file. A typical Web.Config looks like this: <configuration> <appSettings/> <connectionStrings> <add name="EncryptedConnectionString" connectionString="Data Source=192.20.145.67;Initial Catalog=hilDB;User ID=hil;Password=hil132456" providerName="System.Data.SqlClient" /> </connectionStrings> <system.web> . </system.web> </configuration> Step 2: Open Visual Studio Command Prompt (Start>Programs>Microsoft Visual Studio 2008>Visual Studio Tools>Visual Studio 2008 Command Prompt). Type the following command: aspnet_regiis.exe pef connectionStrings C:\.....\EncryptWebsite

Make sure the path of command prompt is set to the same location where aspnet_regiis utility resides. You can find this utility at location %windows root directory%\Microsoft.NET\Framework\%version (eg C:\WINDOWS\Microsoft.NET\Framework\v3.5)

Note that the pef switch requires you to pass full physical Website path which is the last parameter. Be cautious to verify the path to your Web.Config file otherwise error arises. Step 3: After Encryption, Web.Config looks like this: <appSettings/> <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>Rsa Key</KeyName> </KeyInfo> <CipherData> <CipherValue>HsOoavKUhwtx4KPOfRv9VBdxBSr4IqbpAc1ehOD9DoQsfZ986pChNYW1bo6JrphO /kFVMmr2c1llWSg5Ii+d2HJe3VXj3eIuI53xTlCCR4HyCkYPbxWRYsbc95XMTvzYkb+gaNATeSYUm hLbNZb1oM9zT6pDhOYL+hyV0oQLEUg=</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData>

<CipherValue>6izWsTsMxXaFmczG4tWQQM/DVP3KIJdBCPS36w75xnCRNHiK88Dv+ltClgwcMSWm 4steI3sS0FfoEbf4DvSfDHA3DcmGOOsAIU5z1oSdDf/dDyWgqgzX9HJOo6HMhaodfU1+VV9a9F0ce cJ1gjER62uizPM58HPgv/6q2eKth5YaTz+7jbL04BTGboAijhpF9SA8fU9kmXyoDXK0oHrxaPLLBU 9iobSbHPOJWsXHaSdQA3KS2ia911jNCG2QwOr/z8gZyaoUx4n38QgitUQxarRVfLujKGXchzJvm6f iQznGYdcGdHFFrA==</CipherValue> </CipherData> </EncryptedData> </connectionStrings> You can decrypt the connectionStringssection by using the following command: aspnet_regiis.exe pdf connectionStrings C:\.....\EncryptWebsite After decryption, it looks just as it did before it was encrypted.