Monday, August 11, 2008

How to Encrypt connection string in web.config

     The most sensitive information stored in web.config file can be the connection string. You do not want to disclose the information related to your database to all the users where the application is deployed. Every time it is not possible to have a private machine for your sites, you may need to deploy the site in shared host environment. To encrypt the connection string in above situation is advisable.

     ASP.NET 2.0 provides in built functionality to encrypt few sections of web.config file. The task can be completed using Aspnet_regiis.exe. Below is the web.config file and <connectionStrings> section.   

   1: <connectionStrings>
   2:   <add name="cn1" 
   3:           connectionString="Server=DB SERVER;
   4:                             database=TestDatabase;
   5:                             uid=UID;
   6:                             pwd=PWD;" />
   7:  </connectionStrings>

Fig - (1) Connection string section of web.config file


     To encrypt the connection string section follow the steps,


1. Go to Start -> Programm Files ->
    Microsoft Visual Studio 2005 -> Visual Tools
    -> Microsoft Visual Studio 2005 Command Prompt


2. Type following command,


    aspnet_regiis.exe -pef "connectionStrings" C:\Projects\DemoApplication


    -pef indicates that the application is built as File System website.  The second argument is the name of configuration section needs to be encrypted. Third argument is the physical path where the web.config file is located.


   If you are using IIS base web site the command will be,


   aspnet_regiis.exe -pe "connectionStrings" -app "/DemoApplication"


 -pe indicates that the application is built as IIS based site. The second argument is the name of configuration section needs to be encrypted. Third argument "-app" indicates virtual directory and last argument is the name of virtual directory where application is deployed.   


   If everything goes well you will receive a message "Encrypting configuration section...Succeeded!"


  Open your web.config file and you can see that connection string is encrypted,



   1: <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
   2:   <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
   3:    xmlns="http://www.w3.org/2001/04/xmlenc#">
   4:    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
   5:    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
   6:     <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
   7:      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
   8:      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
   9:       <KeyName>Rsa Key</KeyName>
  10:      </KeyInfo>
  11:      <CipherData>
  12:       <CipherValue>Ik+l105qm6WIIQgS9LsnF8RRxQtj2ChEwq7DbHapb440GynFEoGF6Y3EM3Iw/lyDV8+P8bIsketi5Ofy9gpZlCBir7n315Q6RPbdclUo79o/LKadhX4jHFpnSIQNIF/LhwjwkLFC0=</CipherValue>
  13:      </CipherData>
  14:     </EncryptedKey>
  15:    </KeyInfo>
  16:    <CipherData>
  17:     <CipherValue>JsLrQ5S8Pq3U72nQzmSl/XlLX72GM0O3EbPLaHRNvjTDgG9seDflGMjTfO10M1s7/mPh//3MhA7pr0dNHUJ143Svhu5YXODRC6z9CkR0uyE4H7uDvTKJ8eR3m9APhXoo1sT1K3tCLHD6a2BM+gqSk9d8PzCfbM8Gmzmpjz1ElIaxu62b4cg9SNxp8o86O9N3fBl2mq</CipherValue>
  18:    </CipherData>
  19:   </EncryptedData>
  20:  </connectionStrings>

Fig - (2) Encrypted connection string section 


       You do not have to write any code to decrypt this connection string in your application, dotnet automatically decrypts it. So if you write following code you can see plaintext connection string.



   1: Response.Write(ConfigurationManager.ConnectionStrings["cn1"].ConnectionString);

    Now to decrypt the configuration section in web.config file use following command,


For File System Application,


aspnet_regiis.exe -pdf "connectionStrings" C:\Projects\DemoApplication


For IIS based Application


aspnet_regiis.exe -pd "connectionStrings" -app "/DemoApplication" 


    If you want to encrypt any nested section in web.config file like <pages> element within <system.web> you need to write full section name as shown below,


aspnet_regiis.exe -pef "system.web/Pages" C:\Projects\DemoApplication


     You can encrypt all the sections of web.config file except following using the method I displayed in this article,


<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>


   To encrypt these section you needed to use Aspnet_setreg.exe tool.  For more detail about Aspnet_setreg.exe tool search Microsoft Knowledge Base article 329290, How to use the ASP.NET utility to encrypt credentials and session state connection strings.


 


Happy Programming !!!