encrypt the database connection string

[Freddy]

Hi,

How to encrypt the database connection string, store it in the Web.config
file and then retive and decrypt it.
Any links to articles would be great.

Thanks

Freddy

 

[John Amick]

I believe you can use the RSACryptoServiceProvider.Encrypt method to encrypt
a connection string, and put the encrypted string it generates into your
web.config file. You would then use RSACryptoServiceProvider.Decrypt in
your code to decrypt it. Here's a link to info on
System.Security.Cryptography:

http://msdn.microsoft.com/library/d...pref/html/frlrfsystemsecuritycryptography.asp

Also, check out the Confirguration Management Application Block from
Microsoft. I haven't actually used it yet, but one of the stated claims is
"Data security and integrity - data signing and encryption can be used with
any configuration data - regardless of its structure or where it is stored -
to improve security and integrity".

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/cmab.asp?frame=true

It's already written for you, and it's free. Not a bad deal.

-John

 

[bruce barker]

the current implementation of asp.net does not allow true security (another
site on the same server often has enough permission to do a successful
attack). the trick to security is where to hide key (application block
approach ), or when you request the key how to prove who you are (missing in
asp.net).

the application block uses a registry key that the application picks. But
any app on the web server has permission to the resource file where the key
name is stored and the registry where the key is stored, so they can lookup
the key and get the data. so you need to lock down the registry. this works
if your site is anonymous and you have a nt account for your site, but will
not work if you use authencation.

-- bruce (sqlwork.com)