Monday, December 23 2013
Keywords: ASP.NET, C#, Encrypt, Decrypt, sensitive information, web.config, connectionStrings, conn string encryption
Encrypt ASP.NET Web.config's connectionStrings section
I'm a DBA, and a I'm also a web developer, and it should be no surprise to anyone that I would not let my connection strings get uploaded to some remote hosting server in clear text format! Who knows how many people have access to that machine, for one reason or another!
I show you how easily and quickly you could encrypt web.config file's connection strings; in fact you could be done in less than 5 minutes times! It's that quick and simple.
Step 1) Make sure your connection strings are in the newer connectionStrings section of the web.config file, and not under the old appsettings section. To read connection strings from this section you could use something like:
SqlConnection sqlConnection1 = new SqlConnection(ConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString);
Step 2) Add a class to your project. Call the class ConfigurationEncrypionHelper. You could find the source code to this class on the bottom of this page. This class has three functions: (1) EncryptConnectionString that encrypts connectionStrings section of web.config (2) IsSectionEncrypted to let you know if web.config is encrypted or not (3) DeCryptConnectionStringSection to decrypt the information and save it back in web.config.
Step 3) You need to create an instance of ConfigurationEncrypionHelper object and call its EncryptConnectionString once to encrypt the connectionStrings section. That's all there is to it! How and where in your project you will actually want to call this method once, I would leave that up to you, but for the sake of demonstration, let's create a new aspx file, called EncryptMyConfiguration.aspx.
You might have noticed string fileName = @"\"; in the image above.
The slash character "\" points to the webconfig on the root of the current site. If you have other virtual directories...you would need to enter other values in there such as "/myVirtualPath";.
Step 4) Compile and run your website project. Browse to EncryptMyConfiguration.aspx page, and that will encrypt your connection string.
Do not encrypt your development environment's web.config file. You only encrypt the web.config once it is out of the dev and within stage or production servers. What has been encrypted on one machine will not work on other machines...you would need to encrypt the file in each server separately.
You need to run this method ONLY ONCE after each web server promotion/publishing.
There is a constant variable in the class that holds the value 'connectionStrings'...with a little bit of refactoring you would be able to encrypt other sections of your web.config file as well...wherever you keep sensitive information in.
Written by Ramin Haghighat
Download the scripts for this article (Prior to unzipping the content of the file you must Right-Click on the file --> Properties --> Unblock)