Hi,

I have a Deluxe hosting account at GoDaddy, using a SQL Server 2005 DB. 

I wanted to get both data repositories ("Personal" and "LocalSqlServer") in one source in a SQL DB and get away from the .mdf SQL file, so I added the tables & stored procs from the aspnetdb.mdf file and inserted them into my hosting DB.  Now I would like to encrypt my connection strings in the web.config so that it is no longer in plain text, however I'm having an issue with encrypting/decrypting the strings.

I don't have any issues encrypting/decrypting the connection string for the album data ("Personal" connection string), however, the AspNetSqlRoleProvider does not like reading an encrypted connection string ("LocalSqlServer"), and I don't know if there's a way to decrypt it before providing it.  I've played around with the DPAPIProtectedConfigurationProvider and RSAProtectedConfigurationProvider and it works locally, but as soon as I upload it to my hosting server, it doesn't want to work.

Does anyone know if there is a way to protect the connection string the AspNetSqlRoleProvider uses?  Or do you know if GoDaddy allows you to use DPAPIProtectedConfigurationProvider or RSAProtectedConfigurationProvider?  I've tried Googling every possible keyword combination but I haven't had any luck with it.

How are other people dealing with encryption for this?

Thanks in advance!
Lisa

Lisa,

I think in order for you to encrypt your web.config file, the RSA key needs to be installed on the server.

Another not so secure option is to use the machine key to encrypt but this is pretty useless because anyone on the server have access to that key.

Bruce L:

Lisa,

I think in order for you to encrypt your web.config file, the RSA key needs to be installed on the server.

Another not so secure option is to use the machine key to encrypt but this is pretty useless because anyone on the server have access to that key.

Thanks, Bruce.  I was thinking the same thing before I posted, but I was hoping there was another way.

We'll see how much luck I have...I've tried contacting them before and their customer support is terrible. I'll contact them, then I'll come back and repost.

Thanks again! 
Lisa

Did you find a solution to encrypting your connection strings with godaddy shared hosting?  I am having the same trouble.  They mentioned to me that part of the problem may lie in the fact that the applications are set up using medium trust for shared hosting users.

Please reply if you have found a solution! Thanks!

Same problem here - searching the Godaddy "Help Center" turned up nothing.

Surely there must be a way to do this.... anyone know if other hosting sites offer a method? 

xb - You would think there would be a way to secure your database connection strings! 

I've spent a fair amount of time talking to Godaddy about this issue and they pretty much told me it is not possible to encrypt your web.config files, nor will they allow you to create a read-only / dummy user.  A read-only user would atleast provide some protection to your data if the credentials were uncovered from the connection string.  I would encourage everyone having an issue related to this to contact godaddy and post in this forum thread.  From every web forum / discussion / msdn help files I have read on this issue, having encryption and/or a read-only account are considered a standard in securing your db and I think godaddy needs to provide atleast one, if not both, of these solutions for its customers. 

Here are some responses I've received from godaddy about this issue... I particularily like the part where they claim they are unaware of decompilation software and any risks presented by decompilation (Google - "salamander decompilation" or "vb/c#.net decompilation" for example).  The capabilities do exist and so do the risks.  

************************ 

2/01/2008

Dear Lance,

I apologize for any confusion. While you cannot encrypt the web.config file (which may be due to the medium-trust level for .net 2.0 on our servers), the IIS configuration on our shared servers will not allow it to be served to a visitor of your website. The only way to access the web.config file would either be through FTP or a script that you would first need to upload to your account as the administrator.

As for your question regarding decompilation software that may compromise your web.config file, we are not aware of any such security risks or software. The permissions placed on your folder on the shared server ensures that no other users on the system will be able to access it's contents.

If you have any further questions, please feel free to reply to this email.
Sincerely,
Frank P.
Online Support Supervisor

************************

2/04/2008 

Dear Lance,

Thank you for contacting Online Support. The lack of encryption is due to the fact that we do not allow for remote connections using our databases, therefore; the login information regarding the databases would never leave our system. Unfortunately it is not possible to change the medium trust level nor is it possible to create a dummy user. I apologize for any inconvenience.

Please let us know if we can help you in any other way.
Sincerely,
Matt P.
Online Support Technician

************************