Encrypt Web.config

8

I come here with a question regarding ConnectionStrings of Web.config .

Seeing that we normally report a form of authentication on ConnectionStrings for the application to access the database. By default, anyone accessing the server where the application is installed will have access to the database through the data contained in ConnectionStrings .

I know how to encrypt using aspnet_regiis , for those who do not know, a brief tutorial

Based on this, my question comes up: How to encrypt ConnectionStrings . of Web.config to hide database access data?.

    
asked by anonymous 19.03.2015 / 15:06

1 answer

7

Ideally not to rely on this information, it would be better to have authentication done by other more secure mechanisms, such as Integrated Security . Having said that, we are going to the solution requested:

You will basically use the aspnet_regiis.exe utility. It is in the C:\Windows\Microsoft.NET\Framework\vX.Y.ZZZZZ directory. Do not forget that you must have administrator privilege to run it. Example usage:

aspnet_regiis -pef "connectionStrings" "c:\diretorio\Web.config"

There is no miracle. Encryption does not guarantee anything if you need it to be easily decrypted. You could provide a custom form of encryption but you would need to have a key and an algorithm to decrypt this. If someone has access to your Web.config you will probably have your application contain both and it will be decrypted. So it's best to let the operating system and database take care of this. They will do a better job even though a fully committed server can give access to anything.

But if he can only read his Web.config file, he will not be able to do much of anything outside the computer where he was encrypted and will not be able to revert to the original state. This encryption is dependent on the environment where it is made. That's why you can not do it on your development machine and copy it to the production machine. Encryption must always be done on the production machine. Only you can decrypt.

Documentation . More details .

    
19.03.2015 / 15:19