Click here to Skip to main content
15,860,943 members
Articles / Security / Encryption
Tip/Trick

Encrypt ConnectionString in Web.Config

Rate me:
Please Sign up or sign in to vote.
4.87/5 (46 votes)
15 Jul 2014CPOL3 min read 327.2K   4.7K   50   32
Encrypting the configuration in Web.Config

Introduction

The tip gives you information about how to encrypt the connection string in Web.Config to increase the security and keep the connection with the database secure. There is so much other sensitive information that can be encrypted but in this tip, I'll particularly talk about encrypting the ConnectionString in Web.Config file.

Why It Is Important?

Encrypting sensitive sections of the Web.Config is important because they are just that, sensitive. Think about production Web.Config file. It may contain all information that requires running your web application. There are often passwords for SQL database connections, SMTP server, API Keys, or other critical information. In addition to this, Web.Config files are usually treated as just another source code file, that means, any developer on the team, or more accurately anyone with access to the source code, can see what information is stored in Web.Config file.

Encrypting the Connection String

In our example, we will encrypt ConnectionString in our Web.Config file.

Before Encrypting Web.Config

If you look at the below Config file, it can be easily readable. This doesn't seem to be secure if anyone has access to your Web.Config file.

XML
<configuration>
  <connectionStrings>
    <add name="SqlServices" connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
  </connectionStrings>
</configuration>

Encrypting Web.Config

  1. Open Command Prompt with Administrator privileges
  2. At the Command Prompt, enter:
    XML
    cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
    
  3. In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString:
    ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"

    Use Aspnet_regiis.exe tool with the –pef option and specify the application path as shown above.

    Note: The parameter "connectionStrings" is case sensitive.

After Encrypting Web.Config

After encrypting your ConnectionStrings section, your ConnectionStrings will not be in a readable format.

XML
<configuration>
  <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>ZbDTF00MYzUUW5U3w3PU0rfiAH1UKhvuLSNWPmB/YifBKne6HAWfVc3CnKVimyP8SFyamaR5oAIAxj/xavfpox8EOYXNI+afsksiuA5huSDupCZKNuXq+VCZrdIyn6YOq+W7s3Ojlu7q9VwKcoKurl28l2hcPvWkBk11KYB7hr0=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>42IPPRUjJxCNDHEBLCAJI4/NyLpLueZSBzUXO69lVdZU8+nLpxO+opnbZNxqddyzNnbCO1Uk2Da3ljExkqnLIxT2zs90JAhZvJ5ljIgCipq7ZEp7zHOpvTH9fBGoZJJWhgdddOrHZsLDE9mILjlvBHDhPQrYcMHtY6oLIbxJq92it82iBJv0fS7v1S/o0p4hAtfky+6hXCZWSKUJHr88NDrKe2EEK3mazD2QD5Ozf/w=</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>
</configuration>

Accessing Decrypted Configuration Settings

It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code. Isn't that interesting?

C#
string ConnString = ConfigurationManager.ConnectionStrings[1].ToString();

Decrypting the Connection String

Is it possible to decrypt my Web.Config so that I can read it in original format?

Yes, it is possible.

Simply perform the following command to decrypt the connectionStrings element in the Web.config file.

ASPNET_REGIIS -pdf "connectionStrings" "D:\Articles\EncryptWebConfig"

Note: The parameter "connectionStrings" is case sensitive.

Questions and Answers

1. You might ask me a question if Web.Config file can be encrypted and decrypted using ASPNET_REGIIS then anyone who has access to Web.Config file can decrypt the content, right?

To answer this question, I would say no, if you encrypt your Config file, then your machine would store your keys and if you copy the Config file to a different system and try to decrypt it, then you might get an error.

Pros

  1. Web.Config sensitive information is not in a readable condition (after encryption)
  2. You don't have to explicitly write code to decrypt the Web.Config file as ASP.NET automatically decrypts the configuration and processes your request

Cons

  1. You can't modify the encrypted content on the fly. It requires you to decrypt the content before editing.

Points of Interest

Web.Config encryption only takes a couple moments and provides much more security than a clear-text file. It may not be enough to thwart a hacker that has full access to your entire server.

I'm encrypting all my sensitive data stored in Web.Config after learning the concept of encryption. How about you?

History

  • 07/11/2014: Created
  • 07/15/2014: Updated broken link to download source code.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Software Developer (Senior)
India India
Passionate, energetic, dynamic, responsible and committed engineer, with a get–it–done attitude and spirit of completing on–time with experience in designing, implementing and adapting technically sophisticated applications using Microsoft Technologies.

Comments and Discussions

 
QuestionWhat is the approach we shall follow for .Net core? Pin
Koundinya1-Feb-21 6:54
Koundinya1-Feb-21 6:54 
PraiseThanks 4 sharing! Pin
Member 924439817-Dec-19 4:37
Member 924439817-Dec-19 4:37 
QuestionThe RSA key container could not be opened Pin
Harish Sadhu25-Feb-19 20:29
Harish Sadhu25-Feb-19 20:29 
QuestionGetting error using encryption of connectionString Pin
Member 1411443610-Jan-19 7:15
Member 1411443610-Jan-19 7:15 
QuestionGetting Error to Decrypt Pin
SouravParamanik00718-Sep-17 4:44
SouravParamanik00718-Sep-17 4:44 
QuestionIt doesnt work on other machine Pin
pawankalakoti12-Sep-17 5:14
pawankalakoti12-Sep-17 5:14 
QuestionMVC 5 form for entring conneciton strings and ecrypt Pin
sayeedabas19-Dec-16 0:44
sayeedabas19-Dec-16 0:44 
BugDoesnt work for IIS 7 or above Pin
Malayali Coder6-Jun-16 0:11
Malayali Coder6-Jun-16 0:11 
GeneralRe: Doesnt work for IIS 7 or above Pin
manibsharma14-Apr-17 4:35
manibsharma14-Apr-17 4:35 
QuestionIt is not working for MVC4 on .NET 4 with VS2010 Pin
Member 1217506823-Feb-16 11:27
Member 1217506823-Feb-16 11:27 
QuestionEncryption Key Storage. Pin
xenfo.mohit14-Dec-15 17:35
xenfo.mohit14-Dec-15 17:35 
QuestionWe can encrypt Web.Config with the help of code Pin
vermavirender28-Oct-21 1:47
professionalvermavirender28-Oct-21 1:47 
AnswerRe: We can encrypt Web.Config with the help of code Pin
CHill6028-Oct-21 1:46
mveCHill6028-Oct-21 1:46 
QuestionEncryption is based on what algorithm Pin
Vijay Kumar Raja Grandhi26-Aug-15 14:33
Vijay Kumar Raja Grandhi26-Aug-15 14:33 
GeneralMy vote of 5 Pin
VICK15-May-15 0:19
professional VICK15-May-15 0:19 
QuestionError vs2013 Pin
MassimoPallara7-May-15 1:00
MassimoPallara7-May-15 1:00 
GeneralMy vote 5 Pin
Deepu S Nair4-Jan-15 20:08
professionalDeepu S Nair4-Jan-15 20:08 
Questionnice tutorial! - 5 Pin
vlad_mike9-Dec-14 23:00
vlad_mike9-Dec-14 23:00 
QuestionIt did my work! Thanks... Pin
Altaf N Patel4-Dec-14 9:19
Altaf N Patel4-Dec-14 9:19 
GeneralThanks, you save my day Pin
Muhd Hafiz Ahmad30-Oct-14 22:51
Muhd Hafiz Ahmad30-Oct-14 22:51 
GeneralMy vote of 5 Pin
Renju Vinod16-Jul-14 2:25
professionalRenju Vinod16-Jul-14 2:25 
GeneralRe: My vote of 5 Pin
Yamin Khakhu16-Jul-14 17:50
professionalYamin Khakhu16-Jul-14 17:50 
GeneralMy vote of 5 Pin
Humayun Kabir Mamun15-Jul-14 19:22
Humayun Kabir Mamun15-Jul-14 19:22 
GeneralRe: My vote of 5 Pin
Yamin Khakhu15-Jul-14 21:28
professionalYamin Khakhu15-Jul-14 21:28 
QuestionMy 5 Pin
Govindaraj Rangaraj11-Jul-14 21:07
Govindaraj Rangaraj11-Jul-14 21:07 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.