Shane Duffy

Protecting web.config Connection strings

Posted on: July 26, 2007

It is recommended that store your database connection strings in the Web.config file and encrypt the connection strings. In the .NET Framework 2.0, you have the option to enable the configuration encryption in the <protectedData> section in the web.config file.
For example:
<add name=”connectionStrings” provider=”RSAProtectedConfigurationProvider”/>
There are two predefined providers that you can find in the .NET Framework 2.0:
1. DPAPIProtectedConfigurationProvider: It uses the Windows data protection API (DPAPI) to encrypt and decrypt configuration data.
2. RSAProtectedConfigurationProvider: It uses RSA encryption to encrypt and decrypt configuration data

Both the RSA and DPAPI providers are good options for you to encrypt the sensitive data.
However, DPAPI is not recommended to proctect sections in a web farm scenario. This is because the same encrypted web.config file will be deployed to all the machines. What you can do here is to manually encrypt the web.config files on each machine or copy the same container key to the machines.

To create a key container: aspnet_regiis.exe -pc YourContainerName -exp
Export to an XML file: aspnet_regiis.exe -px YourContainerName YourXmlFile.xml
Move the XML file to other machin: aspnet_regiis.exe -pi YourContainerName YourXmFile.xml

Here is an article discussed on the  Encrypting Connection Strings in Web.config.


1 Response to "Protecting web.config Connection strings"

Hi All,

Thanks for your reply and advice.

My problem is that if someone can log into the server via
an FTP program (I use WS_FTP), then the web.config is
easily viewable with no restrictions.

The encryption schemes you mentioned are to deny people
access via a web browser? I will look into hashed
passwords, but if someone gets into my site via an FTP
program, does this encryption do anything?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Subscribe to this blog now!

Top Clicks

  • None
July 2007
« Jun   Aug »
%d bloggers like this: