CODEDIGEST
Home Articles CodeDigest Tutorials FAQs
Home > CodeDigest >  
Technologies
 


Encrypting/Decrypting Connection String in ASP.Net
Submitted By Satheesh Babu B
On 4/9/2009 10:05:01 PM
Tags: asp.net,CodeDigest  

Encrypting/Decrypting Connection String in ASP.Net

 

When we use Sql authentication to connect to database it will be better if we encrypt and decrypt the connection string for security purpose because the userid and password are specified in clear text. Even though, users can't access web.config file, it is still not safe because the server admins can still see the userid and password from web.config files. For example, in shared hosting environments. So, it will be better if we encrypt the connection string in web.config file in these scenarios. 

 

Understanding this need, Microsoft introduced a new technique to encrypt and decrypt the Web.Config sections in Asp.Net 2.0.

 

ASP.Net 2.0 has 2 providers for encrypting and decrypting config sections, RSA(RSAProtectedConfigurationProvider) and DPAPI(DataProtectionConfigurationProvider)

 

To encrypt a connection string section,

protected void btnEncrypt_Click(object sender, EventArgs e)

    {

        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

        ConfigurationSection section = config.GetSection("connectionStrings");

        if (!section.SectionInformation.IsProtected)

        {

            section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");

            config.Save();

        }

    }

 

To use RSA algorithm, use  RSAProtectedConfigurationProvider in the place of DataProtectionConfigurationProvider in the above code snippet.

 

This is how the connection string section will look like once encrypted,

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">

  <EncryptedData>

   <CipherData>

    <CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAkNndGkx6M06QQFz+

eH4CEgQAAAACAAAAAAADZgAAqAAAABAAAABnbufC7mjGVvEtpmFPMqb8AA

AAAASAAACgAAAAEAAAAE/T9z3T5oBv2fMob6hZJsCYAQAAwjp5wFWl7ppY

zHmMSSQPsIoLGnmlVTIPdcldbx3ZvWQwyr6GWCZPd0PmQG5AGX2XfRqGSazdWgWn

1vnCV1u67Lfaf5Be4BABIT2SB+gXcjA3MCaqNvK4PICPNk4s662xPIrCycBv+Vl5ug

TS7zstqVSLhFqAVs7DKNmUoWFSa+6RvtyrdK57Uh4wyP0WdD/doAVByLJjQ8RVKVWm

IyFmi8iQiACVQPgNOGMKRVuchxpc6fiARnyTuMrQ6ZWS15f2G/vwLg9Q/7QBWOpKh4t

LOeoFJX/m+l+9sCD1dJ2Jb/orKg2Nh1aUjfjqnkNZG1jY9JUDLhxGOx8tsPP75VlIw

OqsgNOdojP8BiXJsrDfPhp/BKmV6dgZEvOh2HBkt4x2y0fb9CDlvI/F28lVQGw741If

0P34UTBVZxbe6ka1075rlbXNSCjd33U+mx2ZNk7PG/c8HK6bql5ILM/sxO0wjUP68F

wK2s3CadKzaki9eeTiIE9uGnlctq9Chb2f2E1uwnrefd856BzTK8eOGxTTbF8PU9uFp

Hc1FAAAAMFZTg7MFHHeRLFM9s6ZJ1uBuOkr</CipherValue>

   </CipherData>

  </EncryptedData>

 </connectionStrings>

 

The connection string can be still accessed in code by regular ways,

SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["Sql"].ConnectionString);

 

To see back the original connection string we need to decrypt it.

To decrypt a connection string section,

  protected void btnDecrypt_Click(object sender, EventArgs e)

    {

        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

        ConfigurationSection section = config.GetSection("connectionStrings");

        if (section.SectionInformation.IsProtected)

        {

            section.SectionInformation.UnprotectSection();

            config.Save();

        }

    }

 

 

 

 

Recent Codes
  • View All Codes..