Click here to Skip to main content
15,508,890 members
Please Sign up or sign in to vote.
5.00/5 (2 votes)
Okay, I found a link online walking me through how to encrypt the connection string portion of the web.config file. Is there anyone who's ever done this that can answer a couple of questions for me? I tried googling the answers but nothing came up that explained what I needed to know.

A little background as to why we are doing this. I need to download data from an outside source that my supervisor has access to. He wants me to download this data daily rather than monthly (which he has to do for me). He wants to put in his user name and password for the connection information and then we'll encrypt it so I can't see his log on information.

The questions I have are as follows:

1. Can you encrypt a development connection string? The instructions I see seem to show it being encrypted after it's deployed.
2. Once you encrypt the connection string information can you add other connection strings? If yes, do you need to decrypt and re-encrypt or are they added without encrypting?
3. Also he has to reset his password every 60-90 days. Does that mean he'll have to decrypt the connectin string, input his new password and then re-encrypt it again?

If you don't have experience with this but know a good on-line source I'd take that also. I just want to understand how this is going to work before I try to implement it.


Why not use SSPI - your web application is proably running under a service user account[^]. SSPI allows SQL authentication to be tied to the service user account - this way there will be no need to save username and password in the web.config.

Best regards
Espen Harlinn
Share this answer
Wonde Tadesse 11-Feb-12 10:58am    
5+.Perfect this is the right soln.
Espen Harlinn 11-Feb-12 11:03am    
Thank you, Wonde!
Tech Code Freak 12-Feb-12 1:01am    
Espen Harlinn 13-Feb-12 14:03pm    
Thank you, Tech Code Freak!
CARisk3 13-Feb-12 13:00pm    
Okay. I guess I should have been more specific in the background information. We don't own this information or the system that the information is stored on. It's PHI (personal health information) data and it's not store in an sql database. It's stored in an application specific storage. The connection string not only contains user name and password but also the location of the stored data.
1 - If you can do it at all, I'm sure you can do it in development. How you handle that is up to you. But, unless there's a built in decryption method that doesn't involve your code, you're going to be able to decrypt it and read it anyhow

2 - I have no idea, sorry, if the setting for encryption is not on the connection string level, then I assume they all need to be encrypted or not.

3 - Yes, of course it does.
Share this answer
Well, I tried to encrypt the development web.config and it didn't work. I did find the following article that makes it seem as if I can't encrypt the development web.config, I can only encrypt the deployed one.[^]

If anyone knows of a way this can be done, please let me know.

Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900