how to encrypt a connection string in web.config file?

Question Posted / rupa.atchuta

3 Answers
10739 Views
Hexaware, I also Faced
E-Mail Answers

Answers were Sorted based on User's Feedback

how to encrypt a connection string in web.config file?..

Answer / kinjal panchal

Is This Answer Correct ?

4 Yes

3 No

how to encrypt a connection string in web.config file?..

Answer / ananth

Taking a clue, Microsoft has provided the capability to
encrypt sensitive information in configuration files
including connection strings in ASP.NET 2.0. With this new
capability you can easily encrypt sections of configuration
files which makes your application secure.

This new capability brings it with performance overhead that
occurs when you encrypt or decrypt sections of web.config
files. So use it sparingly. That means be judgmental and
judicious when you decide to encrypt data.

ASP.NET 2.0 introduced Protected Configuration model that
allows you to encrypt data using two Protected Configuration
Providers. They are:

*

RSAProtectedConfigurationProvider: This is the default
provider and uses the RSA Public Key Encryption algorithm to
encrypt and decrypt data.
*

DataProtectionConfigurationProvider: This provider
uses Windows Data Protection Application Programming
Interface (DPAPI) to encrypt and decrypt data.

Let's explore this new capability of encrypting and
decrypting of connection strings in web.config files using
above two providers available in ASP.NET 2.0.
Programmatic Encryption/Decryption

Take web.config file which contains valid connection string
from some existing project. Bellow is an example of
configuration section.

<configuration>
<appSettings/>
<connectionStrings>
<add name="NorthwindConnectionString"
connectionString="Data Source=ARAS02-XP;Initial
Catalog=Northwind;User ID=sa"
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="true"/>
<authentication mode="Windows"/>
<pages theme="Theme1" />
</system.web>
</configuration>

You can observe <connectionStrings> section in above sample
which contains connection string information.

Add new form to your existing project and add the below
method EncryptConnString() to code behind of the form. We
will use RSAProtectedConfigurationProvider model to encrypt
the connection strings. We will try to analyze this magic
piece of code. Let's start with namespaces. The
System.configuration namespace contains classes which deal
with the configuration information associated with client
applications and ASP.NET applications. The
System.Web.Configuration.WebConfigurationManager class is
the preferred way to provide programmatic access to
configuration files of ASP.NET web applications. You can use
one of open methods provided by WebConfigurationManager that
return configuration object which in turn provides the
required methods and properties to handle the underlying
configuration files. The GetSection method of configuration
object returns the connectionStrings section object for the
web.config file.

using System.Web.Configuration;
using System.Web.Security;
using System.Configuration;

public void EncryptConnString()
{

Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section =
config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{

section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
config.Save();
}
}

Encrypting Connection string using
RSAProtectedConfigurationProvider model

You can observe in below listing that connectionStrings
section is encrypted when we execute above method using
RsaProctectedConfigurationProvider model.

<connectionStrings
configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>
NQPKYTuUVO5SWpxXdBUpoMKYYUmEBBuAw8LXe+DxMYrkMzzAJsUVw6uZZLJXWa9ipAEx
hvS2hhkGx7MHkpustn+IT+PpuxtIKSDFkumZdA/3kcaHuSO74M75Qt+BmW42v/KWNwVv
7umXLz78ka4jDeY/yf2BMpkcs35TkSS9PVM=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>
MVKe6xdu6h4DqGHmzuzeBqaWcL+m+Rl0EHi9uwQAqhZ9N56HzGgC66cXEiDJ8IGaSCrAYm
7z2ERQYKwjMyTJMkiJ3cSk7CSgqxfrT3+7+DzzKMkB489AmADfxtRyt3JE0bWIclhsHgLn
YthS6mMiXTusSzRIcPMESb+ZAIkyCTPt6+2BxDNimgFX42Xt7abvNinknaUk
uJYKr7tgOzVfS00IesVA/jou1t8FTjM14b9YGvHPtBDq00Jm/cD9iGtP2OM6RnhLgy+MUr
3NPiuWutsEcUGELfOwkMvKQ6Igsg6eqae4c0dZlg==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>

Similarly, we can encrypt connectionStrings information
using DataProtectionConfigurationProvider model. Use the
same above method and replace parameter for ProtectSection
method with DataProtectionConfigurationProvider as shown below.

section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");

<configuration>
<appSettings/>
<connectionStrings
configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAcHu0TgBbIEyfG1RWWqIDSgQAAAACAAAAAAADZg
AAqAAAABAAAACSAX+UlFBbL2xUT1mYruSgAAAAAASAAACgAAAAEAAAAODHdp8b3SFHl8S6
yVQ/Ydu4AQAAitMpkAI8SjZc349E63yEAV/mVQzOv29H2mXvz2j+2kg8FTGYV95xySZrUH
ICx/i5hBq//iQNc1v/Jp0xLxJf6+K/nSQwJTnGWBn3555HJHKU8yAeQCN9Iw/6YWs/q6oV
GpPwMmoSe6jS+5bHzThxQrpUqxVXB4aHKeVnAfjcdj5bIBKe9jaZ0kP31UVlB9TB5z+94G
a6LNWuWWcZf/iAfrZ/EZMkEcGJE20Reb3XSm/e+LN1di2YyRxXVYV+b6MDTi7DgHC7ilZs
g+/81jCn2UtW4k74wKDXrTjAS3LgWxBdFEUPnwSKbKF+/DF24MVECZ6t7oyxoPH7OqaxR/
IDnPLxHAqtd8eT9VKmzouULpQBwrO6echS1MJL8zmvCNMsLz1JnyBlwxYvst8tQs+5MCIn
dQ1K9615hLiwP/JIUy9T3Hk1pCn37m8tEV+meRguS1yIOXMQ3nsPUI5d1C+Nt4068EecEk
uoWujCEUHu9JcpZa2KVsnSYLix5MOEvqGPtbSMmTt7TE7leicEpEn6Hm3LWYQE2N85Skpt
x5AN/Pfuwl42fMzzs07ZhRFtLDwku/a2/ZQahHIUAAAAdOITPi1vY6agWisqaA6+H/qOoc
s=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
<system.web>
<compilation debug="true"/>
<authentication mode="Windows"/>
<pages theme="Theme1" />
</system.web>
</configuration>

Encrypted Connection String using
DataProtectionConfigurationProvider

You can in the similar way decrypt connection strings
information using below method.

public void DecryptConnString()
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section =
config.GetSection("connectionStrings");
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
config.Save();
}
}

Remember, we cannot encrypt all sections of web.config file
using this above programmatic approach. There are few
sections which need some additional steps before we can
encrypt them with above approach.

*

<processModel>
*

<runtime>
*

<mscorlib>
*

<startup>
*

<system.runtime.remoting>
*

<configProtectedData>
*

<satelliteassemblies>
*

<cryptographySettings>
*

<cryptoNameMapping>
*

<cryptoClasses>

In order to encrypt these configuration sections you must
encrypt the value and store it in the registry. There's an
aspnet_setreg.exe command-line tool to help along with this
process.

Is This Answer Correct ?

2 Yes

2 No

how to encrypt a connection string in web.config file?..

Answer / anand gopal makwa munger

write the code on web.config file Like below

<configuration>
<appSettings/>
<connectionStrings>
<add name="Connection" providerName="System.Data.SqlClient" connectionString="server=abc\Sqlexpress;IntegratedSecurity=SSPI;DataBase=XYZ"/>
</connectionStrings>
</configuration>

and write the code Behind page(ie .cs File)

ConnectionStringSettings con = ConfigurationManager.ConnectionStrings["Connection"];
SqlConnection conn = new SqlConnection(con.ConnectionString);

Is This Answer Correct ?

0 Yes

5 No

Post New Answer

More ASP.NET Interview Questions

How does asp net store session ids by default?

0 Answers

when the threads are used in dot net.

2 Answers

which one is faster execute reader, scalar, execute non query ?

18 Answers Intiger, Minecode,

what are the advantage in asp.net and what are the question ask for interview in vb.net and asp.net

0 Answers TCS,

Define application state variable and session state variable?

0 Answers UGC Corporation,

What are the layouts of ASP.NET Pages?

0 Answers

In which event of the page life cycle, is the viewstate available?

0 Answers

when i want to use asp.net configuration for creat users and roles i recived this message: There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store. The following message may help in diagnosing the problem: Unable to connect to SQL Server database. when i clicked the choose data source button that give me another message that is this: Use this page to configure how Web site management data such as membership is stored. You can use a single provider for all the management data for your site or you can specify a different provider for each feature. Your application is currently configured to use the provider: AspNetSqlProvider Select a single provider for all site management data Select a different provider for each feature (advanced) ------------------------- and this message was reapeted in other choose again. please help me if u know why i gave that message so i wont can creat my users and roles

0 Answers

Explain the difference between value type and reference type?

0 Answers

How do you handle unhandled exceptions in ASP.NET?.

3 Answers

Differnce between Control an View State

1 Answers Proteans,

What is the use of service provider?

0 Answers

For more ASP.NET Interview Questions Click Here