I have a Deluxe hosting account at GoDaddy, using a SQL Server 2005 DB.
I wanted to get both data repositories ("Personal" and "LocalSqlServer") in one source in a SQL DB and get away from the .mdf SQL file, so I added the tables & stored procs from the aspnetdb.mdf file and inserted them into my hosting DB. Now I would like to
encrypt my connection strings in the web.config so that it is no longer in plain text, however I'm having an issue with encrypting/decrypting the strings.
I don't have any issues encrypting/decrypting the connection string for the album data ("Personal" connection string), however, the AspNetSqlRoleProvider does not like reading an encrypted connection string ("LocalSqlServer"), and I don't know if there's a
way to decrypt it before providing it. I've played around with the DPAPIProtectedConfigurationProvider and RSAProtectedConfigurationProvider and it works locally, but as soon as I upload it to my hosting server, it doesn't want to work.
Does anyone know if there is a way to protect the connection string the AspNetSqlRoleProvider uses? Or do you know if GoDaddy allows you to use DPAPIProtectedConfigurationProvider or RSAProtectedConfigurationProvider? I've tried Googling every possible
keyword combination but I haven't had any luck with it.
How are other people dealing with encryption for this?
Thanks in advance!
Lisa
ASP.NET 2.0GodaddySecurityASP.NETsql server 2005AspNetSqlRoleProviderweb.config
I think in order for you to encrypt your web.config file, the RSA key needs to be installed on the server.
Another not so secure option is to use the machine key to encrypt but this is pretty useless because anyone on the server have access to that key.
Thanks, Bruce. I was thinking the same thing before I posted, but I was hoping there was another way.
We'll see how much luck I have...I've tried contacting them before and their customer support is terrible. I'll contact them, then I'll come back and repost.
Did you find a solution to encrypting your connection strings with godaddy shared hosting? I am having the same trouble. They mentioned to me that part of the problem may lie in the fact that the applications are set up using medium trust for shared hosting
users.
Please reply if you have found a solution! Thanks!
xb - You would think there would be a way to secure your database connection strings!
I've spent a fair amount of time talking to Godaddy about this issue and they pretty much told me it is not possible to encrypt your web.config files, nor will they allow you to create a read-only / dummy user. A read-only user would atleast provide some
protection to your data if the credentials were uncovered from the connection string. I would encourage everyone having an issue related to this to contact godaddy and post in this forum thread. From every web forum / discussion / msdn help files I have
read on this issue, having encryption and/or a read-only account are considered a standard in securing your db and I think godaddy needs to provide atleast one, if not both, of these solutions for its customers.
Here are some responses I've received from godaddy about this issue... I particularily like the part where they claim they are unaware of decompilation software and any risks presented by decompilation (Google - "salamander decompilation" or "vb/c#.net decompilation" for
example). The capabilities do exist and so do the risks.
************************
2/01/2008
Dear Lance,
I apologize for any confusion. While you cannot encrypt the web.config file (which may be due to the medium-trust level for .net 2.0 on our servers), the IIS configuration on our shared servers will not allow it to be served to a visitor of your website.
The only way to access the web.config file would either be through FTP or a script that you would first need to upload to your account as the administrator.
As for your question regarding decompilation software that may compromise your web.config file,
we are not aware of any such security risks or software. The permissions placed on your folder on the shared server ensures that no other users on the system will be able to access it's contents.
If you have any further questions, please feel free to reply to this email.
Sincerely,
Frank P.
Online Support Supervisor
************************
2/04/2008
Dear Lance,
Thank you for contacting Online Support. The lack of encryption is due to the fact that we do not allow for remote connections using our databases, therefore; the login information regarding the databases would never leave our system. Unfortunately it is
not possible to change the medium trust level nor is it possible to create a dummy user. I apologize for any inconvenience.
Please let us know if we can help you in any other way.
Sincerely,
Matt P.
Online Support Technician
I know this is an old thread, I was looking for an answer to this myself, but just so anyone else looking for this answer knows...DiscountASP.Net is a hosting provider specializing in .Net hosting, and they provide a way to encrypt your web.config connection
string using the RSA method.
There are people in need of help. Charity is one of the nobler human motivations. The act of reaching into one's own pockets to help a fellow man in need is praiseworthy and laudable. Reaching into someone else's pocket is despicable and worthy of condemnation. - Walter Williams
None
0 Points
4 Posts
GoDaddy - Encrypt Connection String
Aug 01, 2007 12:41 PM|Andarial|LINK
I have a Deluxe hosting account at GoDaddy, using a SQL Server 2005 DB.
I wanted to get both data repositories ("Personal" and "LocalSqlServer") in one source in a SQL DB and get away from the .mdf SQL file, so I added the tables & stored procs from the aspnetdb.mdf file and inserted them into my hosting DB. Now I would like to encrypt my connection strings in the web.config so that it is no longer in plain text, however I'm having an issue with encrypting/decrypting the strings.
I don't have any issues encrypting/decrypting the connection string for the album data ("Personal" connection string), however, the AspNetSqlRoleProvider does not like reading an encrypted connection string ("LocalSqlServer"), and I don't know if there's a way to decrypt it before providing it. I've played around with the DPAPIProtectedConfigurationProvider and RSAProtectedConfigurationProvider and it works locally, but as soon as I upload it to my hosting server, it doesn't want to work.
Does anyone know if there is a way to protect the connection string the AspNetSqlRoleProvider uses? Or do you know if GoDaddy allows you to use DPAPIProtectedConfigurationProvider or RSAProtectedConfigurationProvider? I've tried Googling every possible keyword combination but I haven't had any luck with it.
How are other people dealing with encryption for this?
Thanks in advance!
Lisa
ASP.NET 2.0 Godaddy Security ASP.NET sql server 2005 AspNetSqlRoleProvider web.config
Star
12480 Points
2830 Posts
Re: GoDaddy - Encrypt Connection String
Aug 02, 2007 03:24 PM|Bruce L|LINK
Lisa,
I think in order for you to encrypt your web.config file, the RSA key needs to be installed on the server.
Another not so secure option is to use the machine key to encrypt but this is pretty useless because anyone on the server have access to that key.
http://www.discountASP.NET
None
0 Points
4 Posts
Re: GoDaddy - Encrypt Connection String
Aug 07, 2007 12:49 PM|Andarial|LINK
Thanks, Bruce. I was thinking the same thing before I posted, but I was hoping there was another way.
We'll see how much luck I have...I've tried contacting them before and their customer support is terrible. I'll contact them, then I'll come back and repost.
Thanks again!
Lisa
Member
15 Points
71 Posts
Re: GoDaddy - Encrypt Connection String
Feb 04, 2008 04:21 PM|lg1382|LINK
Did you find a solution to encrypting your connection strings with godaddy shared hosting? I am having the same trouble. They mentioned to me that part of the problem may lie in the fact that the applications are set up using medium trust for shared hosting users.
Please reply if you have found a solution! Thanks!
None
0 Points
4 Posts
Re: GoDaddy - Encrypt Connection String
Feb 07, 2008 04:16 AM|xb90|LINK
Same problem here - searching the Godaddy "Help Center" turned up nothing.
Surely there must be a way to do this.... anyone know if other hosting sites offer a method?
Member
15 Points
71 Posts
Re: GoDaddy - Encrypt Connection String
Feb 07, 2008 12:28 PM|lg1382|LINK
xb - You would think there would be a way to secure your database connection strings!
I've spent a fair amount of time talking to Godaddy about this issue and they pretty much told me it is not possible to encrypt your web.config files, nor will they allow you to create a read-only / dummy user. A read-only user would atleast provide some protection to your data if the credentials were uncovered from the connection string. I would encourage everyone having an issue related to this to contact godaddy and post in this forum thread. From every web forum / discussion / msdn help files I have read on this issue, having encryption and/or a read-only account are considered a standard in securing your db and I think godaddy needs to provide atleast one, if not both, of these solutions for its customers.
Here are some responses I've received from godaddy about this issue... I particularily like the part where they claim they are unaware of decompilation software and any risks presented by decompilation (Google - "salamander decompilation" or "vb/c#.net decompilation" for example). The capabilities do exist and so do the risks.
************************
2/01/2008
Dear Lance,
I apologize for any confusion. While you cannot encrypt the web.config file (which may be due to the medium-trust level for .net 2.0 on our servers), the IIS configuration on our shared servers will not allow it to be served to a visitor of your website. The only way to access the web.config file would either be through FTP or a script that you would first need to upload to your account as the administrator.
As for your question regarding decompilation software that may compromise your web.config file, we are not aware of any such security risks or software. The permissions placed on your folder on the shared server ensures that no other users on the system will be able to access it's contents.
If you have any further questions, please feel free to reply to this email.
Sincerely,
Frank P.
Online Support Supervisor
************************
2/04/2008Dear Lance,
Thank you for contacting Online Support. The lack of encryption is due to the fact that we do not allow for remote connections using our databases, therefore; the login information regarding the databases would never leave our system. Unfortunately it is not possible to change the medium trust level nor is it possible to create a dummy user. I apologize for any inconvenience.
Please let us know if we can help you in any other way.
Sincerely,
Matt P.
Online Support Technician
************************
Member
5 Points
60 Posts
Re: GoDaddy - Encrypt Connection String
Sep 29, 2009 07:53 PM|tsanet|LINK
FYI
At this time, I am able to create a read-only db user on GoDaddy.
However, still nothing on encrypting my web.config sections. BOO!
GoDaddy Encrypt web.config connection string secions
Some sig about something
None
0 Points
5 Posts
Re: GoDaddy - Encrypt Connection String
Jun 09, 2010 10:09 AM|davidayres|LINK
I know this is an old thread, I was looking for an answer to this myself, but just so anyone else looking for this answer knows...DiscountASP.Net is a hosting provider specializing in .Net hosting, and they provide a way to encrypt your web.config connection string using the RSA method.
Check this link here in their help docs:
https://support.discountasp.net/KB/a335/how-to-install-your-rsa-keys-webconfig-encryption-on.aspx
Hope this help!