How can we encrypt the connection string section in web.config file?
Encrypting Connection String in web.config
Asked Answered
Rahul, converting a string from ASCII to base64 string isn't an encryption, which is what your first link suggests. We can easily convert base64 to ASCII.
Using configsection.protectSection() with an RSA key is a proper encryption that is available for sections of the Web.config file.
Check this link: http://www.beansoftware.com/ASP.NET-Tutorials/Encrypting-Connection-String.aspx
Please note, that we can not encrypt Web.config file in a shared hosting environment where Trust level is set to medium trust.
To save having to visit external links, in C:\Windows\Microsoft.NET\Framework\v4.0.30319 (for .NET 4 / 4.5)
aspnet_regiis.exe -pe "connectionStrings" -app "/YourWebSiteName" -prov "DataProtectionConfigurationProvider"
To decrypt connectionStrings section using this tool, you can specify following command in aspnet_iisreg.exe tool.
aspnet_regiis.exe -pd "connectionStrings" -app "/YouWebSiteName"
would you please tell me what is the advantages of using aspnet_regiis.exe tool, when the encryption file is just usable in local machine and can not use in hosting server ?! –
Situated
that really depends on why you want to encrypt the file - if it's for development and you don't have any sensitive information on your dev machine, then I don't think there's much point (other than for testing), however on a live server or a machine where there is sensitive information which could be hacked.. then there's your benefit –
Chaparro
There is another provider as
RsaProtectedConfigurationProvider –
Vestryman A slightly modified version worked for me. I was using the path of the web.config file, and used the following: aspnet_regiis -pef "connectionStrings" "PATH_TO_DIRECTORY" The same was used, but with -pdf for the decryption step. –
Antistrophe
Run this in Command : aspnet_regiis.exe -pef "connectionStrings" "pathToWebConfig"
or , if you want this to run programatically you can create a Process :
string fileName = @"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe";
if (8 == IntPtr.Size
|| (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("PROCESSOR_ARCHITEW6432"))))
fileName = @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe";
string arguments = $"-pef \"connectionStrings\" \"{application.Path}\"";
using (Process process = new Process())
{
process.EnableRaisingEvents = true;
process.StartInfo = new ProcessStartInfo
{
FileName = exeName,
Arguments = arguments,
UseShellExecute = false,
RedirectStandardOutput = true,
RedirectStandardError = true,
CreateNoWindow = true
};
process.Start();
processOutput.Output = process.StandardOutput.ReadToEnd();
bool exited = process.WaitForExit(timeoutMilliseconds);
if (exited)
{
processOutput.ExitCode = process.ExitCode;
}
}
Encryption is useful to give security to the application. Please find the following steps to encrypt web.config.
- Open Command Prompt with Administrator privileges
- At the Command Prompt, enter
- cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
- In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString:
- ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig
I have use some other thing for more security. In my Web.config i have added following code.
<httpProtocol>
<customHeaders>
<add name="x-Frame-Option" value="Deny or SEMEORGIN" />
<remove name="Server" />
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
Hmm...Looks a lot like the article I just read (from 2014) here codeproject.com/Tips/795135/… –
Arte
I have created a utility in windows forms with source code.
Download file from here (its whole project, you can run it from bin folder): File
- Run the executable file from debug folder (Run As Administrator)
- Browse the config file
- You are done
Note: Check if this folder exists in your computer:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\
Here is a sneak of what file has Check Gist Here
great tool, but it encrypt the webconfig, not the debug or release, i will try hack the source code you posted in the zip (y) –
Inestimable
ASPNET_REGIIS, as said by others.
But remember when considering strength and requirements of encoding, RSA is not fool-proof, not even very strong. Breaking it takes minutes.
My case is, I must connect to one of the SQL servers using SQL server authentication, which in turn requires to write the password in plain text in the connection string.
Plain text passwords in files are just wrong. Better RSA encoded. So when someone looks at it and does not really want to break into it, he does not see the password.
However, it is on a server only accessible from within the domain, which limits the possible attackers to less than 100, anyone else would have to break in the domain first, and if that happens connecting to a test environment DB server is the least of the problems. Also, out of those 100 people, only about 5 have the admin privileges, which give the right to cleanly decrypt the file using ASPNET_REGIIS.
You have to trust those anyway. For all the others, the value of data they could get is much less than the work they would have to put in getting it. It is not worth the risk of ceasing to be employees either.
Also, they mostly don't even know about this thing being possible to break into. And now, even if they somehow find out, they don't get a plain text password without any work.
© 2022 - 2024 — McMap. All rights reserved.