In my web.config I have connection strings specifying database names, userids and passwords. I noticed that after publishing to the server I can go to the inetpub folder on the server open the web.config and can see the userid and password etc in plain
text.
How should l go about encrypting the connection string information when publishing my site to the server? Am I right in thinking it would be common practice to do so?
If the question is dumbass please excuse I'm still a bit of a newbie...thanks in advance for any help, Roscoe
aspnet_regiis (from C:\Windows\Microsoft.NET\Framework\version) has few keys such as -pe, -pef to encrypt configuration sections. Using that tool you can encrypt the connectionStrings section in Web.config. Reed more at http://msdn.microsoft.com/en-us/library/ms998280.aspx
The tool has to be run directly on server and configuration will be overwritten if you publish solution once again after that. So, you either can run that tool once and do not use publish function (perform manual upload of updated files) or use the flow
explained at
Member
108 Points
294 Posts
How to encrypt connection strings in web.config when publishing to server
Oct 10, 2013 12:18 PM|rpfinnimore|LINK
In my web.config I have connection strings specifying database names, userids and passwords. I noticed that after publishing to the server I can go to the inetpub folder on the server open the web.config and can see the userid and password etc in plain text.
How should l go about encrypting the connection string information when publishing my site to the server? Am I right in thinking it would be common practice to do so?
If the question is dumbass please excuse I'm still a bit of a newbie...thanks in advance for any help, Roscoe
All-Star
35159 Points
9075 Posts
Re: How to encrypt connection strings in web.config when publishing to server
Oct 10, 2013 12:58 PM|smirnov|LINK
aspnet_regiis (from C:\Windows\Microsoft.NET\Framework\version) has few keys such as -pe, -pef to encrypt configuration sections. Using that tool you can encrypt the connectionStrings section in Web.config. Reed more at http://msdn.microsoft.com/en-us/library/ms998280.aspx
The tool has to be run directly on server and configuration will be overwritten if you publish solution once again after that. So, you either can run that tool once and do not use publish function (perform manual upload of updated files) or use the flow explained at
http://randomdotnetnuggets.blogspot.com.au/2013/05/publishing-encrypted-connection-strings.html
You can also consider to use integration authentication, so your config will not have password and loginname, example:
<add name="NorthwindConnection"
connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
All-Star
52733 Points
9670 Posts
MVP
Re: How to encrypt connection strings in web.config when publishing to server
Oct 15, 2013 04:21 AM|Ruchira|LINK
smirnov has give you a good reply on how to encrypt the sections in the web.config file.
As a side note, keep in mind that web.config file is highly secured that you usually don't need to worry about users accessing it.
Please 'Mark as Answer' if this post helps you
Developer Tools Download | Windows 10 Videos | My Tech Blog