The most sensitive information stored in web.config file can be the connection string. You do not want to disclose the information related to your database to all the users where the application is deployed. Every time it is not possible to have a private machine for your sites, you may need to deploy the site in shared host environment. To encrypt the connection string in above situation is advisable.
ASP.NET 2.0 provides in built functionality to encrypt few sections of web.config file. The task can be completed using Aspnet_regiis.exe. Below is the web.config file and <connectionStrings> section.
1: <connectionStrings>
2: <add name="cn1"
3: connectionString="Server=DB SERVER;
4: database=TestDatabase;
5: uid=UID;
6: pwd=PWD;" />
7: </connectionStrings>
Fig – (1) Connection string section of web.config file
To encrypt the connection string section follow the steps,
1. Go to Start -> Programm Files -> Microsoft Visual Studio 2005 -> Visual Tools
-> Microsoft Visual Studio 2005 Command Prompt
2. Type following command,
aspnet_regiis.exe -pef “connectionStrings” C:\Projects\DemoApplication
-pef indicates that the application is built as File System website. The second argument is the name of configuration section needs to be encrypted. Third argument is the physical path where the web.config file is located.
If you are using IIS base web site the command will be,
aspnet_regiis.exe -pe “connectionStrings” -app “/DemoApplication”
-pe indicates that the application is built as IIS based site. The second argument is the name of configuration section needs to be encrypted. Third argument “-app” indicates virtual directory and last argument is the name of virtual directory where application is deployed.
If everything goes well you will receive a message “Encrypting configuration section…Succeeded!”
Open your web.config file and you can see that connection string is encrypted,
1: <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
2: <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
3: xmlns="http://www.w3.org/2001/04/xmlenc#">
4: <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
5: <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
6: <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
7: <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
8: <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
9: <KeyName>Rsa Key</KeyName>
10: </KeyInfo>
11: <CipherData>
12: <CipherValue>Ik+l105qm6WIIQgS9LsnF8RRxQtj2ChEwq7DbHapb440GynFEoGF6Y3EM3Iw/lyDV8+P8bIsketi5Ofy9gpZlCBir7n315Q6RPbdclUo79o/LKadhX4jHFpnSIQNIF/LhwjwkLFC0=</CipherValue>
13: </CipherData>
14: </EncryptedKey>
15: </KeyInfo>
16: <CipherData>
17: <CipherValue>JsLrQ5S8Pq3U72nQzmSl/XlLX72GM0O3EbPLaHRNvjTDgG9seDflGMjTfO10M1s7/mPh//3MhA7pr0dNHUJ143Svhu5YXODRC6z9CkR0uyE4H7uDvTKJ8eR3m9APhXoo1sT1K3tCLHD6a2BM+gqSk9d8PzCfbM8Gmzmpjz1ElIaxu62b4cg9SNxp8o86O9N3fBl2mq</CipherValue>
18: </CipherData>
19: </EncryptedData>
20: </connectionStrings>
Fig – (2) Encrypted connection string section
You do not have to write any code to decrypt this connection string in your application, dotnet automatically decrypts it. So if you write following code you can see plaintext connection string.
1: Response.Write(ConfigurationManager.ConnectionStrings["cn1"].ConnectionString);
Now to decrypt the configuration section in web.config file use following command,
For File System Application,
aspnet_regiis.exe -pdf “connectionStrings” C:\Projects\DemoApplication
For IIS based Application
aspnet_regiis.exe -pd “connectionStrings” -app “/DemoApplication”
If you want to encrypt any nested section in web.config file like <pages> element within <system.web> you need to write full section name as shown below,
aspnet_regiis.exe -pef “system.web/Pages” C:\Projects\DemoApplication
You can encrypt all the sections of web.config file except following using the method I displayed in this article,
<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
To encrypt these section you needed to use Aspnet_setreg.exe tool. For more detail about Aspnet_setreg.exe tool search Microsoft Knowledge Base article 329290, How to use the ASP.NET utility to encrypt credentials and session state connection strings.
Happy Programming !!!
Nice info, thank you
nice article.
Great resource
only thing is no Quotes on connectionstring
Very use full information is available in ur site…
So much to the point. I liked it 🙂
Hi Chirag,
I have a little doubt over it, as anybody will be able to decrypt the config file even though it is in the encrpted form.
And then can see all the information like passwords etc which we tried to encrypt by using aspnet_regiis.exe etc.
So what is the benefit of encryption then?
If your sysadmin locks down access to aspnet_regiis.exe and all the other things they should, the only people who will be able to run this will be specified privileged users.
what “other things” should we lock down access to?
hi Chirag,
the inverted comma for the section is not required.
— > aspnet_regiis.exe -pdf “connectionStrings” C:\Projects\DemoApplication
system throws an error could not find ‘ “connectionStrings” ‘ section in the config file
format would be as follows
aspnet_regiis.exe -pdf connectionStrings C:\Projects\DemoApplication
aspnet_regiis.exe -pef connectionStrings C:\Projects\DemoApplication
🙂
thank you Kiran for the help in web config encryption
Hello Chirag,
I am having N-Tier application and deploying the project using WebSetupt project. We use MSI to deploy the project on Dev/Prod Server. Can you please help me out that where to Encrypt the Connection String? Because if i’ll encrypt it here it is working fine on local machine. but not working on Dev server.
Please Help..
Thanks in advance.
🙂
I must say, that I can not agree with you in 100%, but that’s just my IMHO, which indeed could be wrong.
p.s. You have a very good template . Where have you got it from?
I’m getting this error
Sys.WebForms.PageRequestManagerServerErrorException after using the encryption
What need to be imports?
This method of encryption is at best a beginners effort.
Grow up and start using System.Security.Cryptography like any real software engineer would do.
Or provide code and documentation to demonstrate an alternate viewpoint like USA Rocks did! Oh, right…
Thanks for taking time out to share the information Chiragrdarji.
K.I.S.S. Rocky
USA Rocks! Why would you post something the way you said it? It is unkind and adds fuel to the fire that we Americans are a bunch of snobs. Which by and large is not true.
A much more effective (and kind) way of saying it would have been:
“The way security is implemented in this method is good for situations that require minimal security and is better than nothing. An more secure alternative would be using System.Security.Cryptography as shown in the following example: http://sharpertutorials.com/simple-string-encryption-and-decryption/“
How is Integrated Security more secure than encrypting a connection string?
In order for someone to be able to decrypt your connection string, they would have to gain access to your machine. They can’t just FTP over the files (in cases where they hacked your FTP for example) because they couldn’t decrypt it on a different machine. So, they would have to be on your original machine. Once they’re on there, they could do it in one of two ways: 1. you could have left access to aspnet_regiis.exe and then they can run it to decrypt, or, if you didn’t leave access, they’d need to gain access to it somehow. so, they problem for them would be getting access to two accounts. 2. you could have visual studio installed on your server, they can debug your application, break point on the connection string and see what it is. (provided that it actually shows you as opposed to just showing you the encrypted string, I don’t know, haven’t tried.)
With integrated security, you will have to impersonate a user, correct? And, so, you will still have to hard code the user name and password to impersonate on the database server into the impersonation tag in the configuration file.
Now, you can encrypt this, so, therefore you can also decrypt this.
I don’t see how it would be any different, that is, any more secure, than just encrypting the connection string.
How would that work? You would have the key to decrypt the string straight in the code. What good does that do?
At least with the method Chirag proposes you can restrict access to the aspnet_regiis.exe file decreasing the probability that someone will decrypt your strings because now they will have to hack two passwords: one to your machine and the other to the aspnet_regiis.exe file.
With your proposed method, they only need access to your machine. You’re providing them the key to decrypted straight in the code.
Putting any kind of user name and password in the connection string is pretty obsolete … it’s far better to setup the service to have the right connection authority and then set up the database connection string to use integrated security.
We need to get out of the mindset of hard coding things!
But after having said this, it’s a good article 🙂 although it should be edited with the right syntax.
I have my database connection string setup ‘the right way’ and don’t need to encrypt, but our email is outsourced, so THAT password I will have to encrypt. So this will help.
Also, I found out a ‘gotcha’ … don’t do this on a developers machine and then export to the web server, do it directly on the web server (or with a domain admin account). Due to the Blackberry Enterprise Service, my normal desktop account isn’t an administrator but is a local administrator. You have to do the encryption on the server with an admin account or the service account, or the server won’t be able to decrypt the block correctly.
== John ==
How can i decrypt connectionstring dynamically using c#.
c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC>aspnet_regiis.exe -pef con
nectionStrings D:\MyWebProject
Encrypting configuration section…
An error occurred executing the configuration section handler for connectionStri
ngs.
Failed to encrypt the section ‘connectionStrings’ using provider ‘RsaProtectedCo
nfigurationProvider’. Error message from the provider: Object already exists.
Failed!
i am having this issue
Hi,
Methods for Encrypting and decrypting a connection string in dotnet are rubbish.
It allows encrypting and decrypting programmatically. What will be benifts of encryption if a human can decrypt ?
very useful blog, all the topics are quite useful..although not yet gone through all the topics, but its worth bookmarking….keep sharing this knowledge 🙂
THANK YOU SO MUCH!!!!!!!!!!!! you saved my ass at work!!!!!!!!!!!!! thanks from Argentina.
tum kahan rahete ho wo batao tab hum kuch puchange.
Really nice article.
Thanks for the help…
Great job..
not working in VS 2010
section is there instead of
when sepicific “connectionstring” on VS 2010 command propmt ,it is giving error “section not found”
Hi Sir,
Thanks for your information.I want to know how to encrypt connection string in asp.net 4.0.In 3.5 its working fine.but not in 4.0
Please try below sample by placing path in double qoutes. if you have space in your path. for example:
aspnet_regiis.exe -pef “connectionStrings” “C:\Projects\DemoApplication”
instead of command provided above
aspnet_regiis.exe -pef “connectionStrings” C:\Projects\DemoApplication
Very nice piece of information!thanks
How is Integrated Security more secure than encrypting a connection string?
In order for someone to be able to decrypt your connection string, they would have to gain access to your machine. They can’t just FTP over the files (in cases where they hacked your FTP for example) because they couldn’t decrypt it on a different machine. So, they would have to be on your original machine. Once they’re on there, they could do it in one of two ways: 1. you could have left access to aspnet_regiis.exe and then they can run it to decrypt, or, if you didn’t leave access, they’d need to gain access to it somehow. so, they problem for them would be getting access to two accounts. 2. you could have visual studio installed on your server, they can debug your application, break point on the connection string and see what it is. (provided that it actually shows you as opposed to just showing you the encrypted string, I don’t know, haven’t tried.)
With integrated security, you will have to impersonate a user, correct? And, so, you will still have to hard code the user name and password to impersonate on the database server into the impersonation tag in the configuration file.
Now, you can encrypt this, so, therefore you can also decrypt this.
I don’t see how it would be any different, that is, any more secure, than just encrypting the connection string.
Hi All,
Everything was fine, but i wanto know same encryption for Microsoft visual studio 2010 version. please if anyone awre f this please share the same.
Need to use the right quote marks. If you get “Encrypting configuration section…
The configuration section ‘”connectionStrings”‘ was not found.
Failed!” is because you have the wrong quote marks. Need U+0022
See bottom of this,
http://en.wikipedia.org/wiki/Quotation_mark_glyphs
Why do you need to encrypt connectionStrings section? If haker will have access to the web.config file you have more important problems 🙂
You need to make sure you have access rights to write the web.config file. If your OS is windows visa run the vs command prompt as administrator. Let me know if you have any doubts.
HI, excuse me for my poor English.
I’m not understand….
if with simple Response.Write(ConfigurationManager.ConnectionStrings[“cn1”].ConnectionString);
i can view all connection string clearly, this means that even if I do not have administrator privileges, simply create a aspx page with that instruction, call it, get the reserved data and delete that page….
I’ think that encription of connectionstrings was totally useless, who has access to the server’s file system will be able always to see those data…
administrator privileges or not
If someone can create a page in your system then you have a different problem altogether. If someone copies the website thru ftp then they cant see the connection string or any encrypted values in web.config.
There is no one solution for all of the problems.
this is of no use to encrypt the connection string is some one again decrypt from different machin
Really Help full article ………….. thanks guys
nice article .thanks
[…] https://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/ […]
[…] https://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/ […]
[…] https://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/ […]
Could you please tell what exactly means following xml elements of encrypted section :
1. tripledes-cbc
2. rsa-1_5
5:
6:
7:
io
[…] Provide a sample code that will demonstrate how to make it done (a good way is like the one found here) – There might be a better way if using ASP.NET 4.0, but I’m not sure. Again, I want to […]