Loading

Encrypting Connection Strings

Submitted by: 
planetsourcecode
Saturday, June 6, 2009 - 12:22


If you are a ASP.NET developer then you know that all the information is stored in web.config file and its is plain file which can be easily open in any text Editor like Notepad or word pad . We store all the important information like connection strings, user names, passwords.That means we are handling sensitive information in a unsafe text file.
but we can easily encrypt sensitive information in configuration files

ASP.NET 2.0 introduced Protected Configuration model that allows you to encrypt data using two Protected Configuration Providers. They are:

RSAProtectedConfigurationProvider: This is the default provider and uses the RSA Public Key Encryption algorithm to encrypt and decrypt data.

DataProtectionConfigurationProvider: This provider uses Windows Data Protection Application Programming Interface (DPAPI) to encrypt and decrypt data.

Next step: though coding
1) sample web.config file

  1. <configuration>
  2.        <appSettings/>
  3.        <connectionStrings>
  4.   <add name="NorthwindConnectionString" connectionString="Data Source=ARAS02-XP;Initial Catalog=Northwind;User ID=sa"
  5.    providerName="System.Data.SqlClient" />
  6. </connectionStrings>
  7.        <system.web>
  8.              <compilation debug="true"/>
  9.              <authentication mode="Windows"/>
  10.     <pages theme="Theme1" />
  11.              </system.web>
  12. </configuration>

2). Add a new form and in code behind

  1. using System.Web.Configuration;
  2. using System.Web.Security;
  3. using System.Configuration;
  4.  
  5. public void EncryptConnString()
  6.     {
  7.  
  8. Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
  9.        ConfigurationSection section = config.GetSection("connectionStrings");
  10.         if (!section.SectionInformation.IsProtected)
  11.         {
  12.             section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
  13.             config.Save();
  14.         }
  15.     }
  16.  
  17. when this section runs it will produce a ne encrypted web.config
  18. <?xml version="1.0"?>
  19. <!-- 
  20.     Note: As an alternative to hand editing this file you can use the 
  21.     web admin tool to configure settings for your application. Use
  22.     the Website->Asp.Net Configuration option in Visual Studio.
  23.     A full list of settings and comments can be found in 
  24.     machine.config.comments usually located in 
  25.     \Windows\Microsoft.Net\Framework\v2.x\Config 
  26. -->
  27. <configuration>
  28.     <appSettings/>
  29.     <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
  30.         <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
  31.             xmlns="http://www.w3.org/2001/04/xmlenc#">
  32.             <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
  33.             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  34.                 <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
  35.                     <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
  36.                     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  37.                         <KeyName>Rsa Key</KeyName>
  38.                     </KeyInfo>
  39.                     <CipherData>
  40.                         <CipherValue>jWmekeNh1TC5Bf5RG2RWo8TU0qLoSF9IdSSpWMgiAjeCUqvPfo/XQr/zzLz4kdHUvCbbrSPX92YOpfv0YKSKO1mlEwE9LA57W9oo/0H7E8feO0flheoNdow9Tw8RVaM7meM8CqODladWD8Vr8G9mk17gWBFByWboIBMzWQ6Rp7U=</CipherValue>
  41.                     </CipherData>
  42.                 </EncryptedKey>
  43.             </KeyInfo>
  44.             <CipherData>
  45.                 <CipherValue>7goUfwnWEqyrTFZXMBcD2eW+15j+eYyzq/YS/GpMX2NTMOrfJ6BHFy4Xr+kGEhLsckrGARfbQFsNLctL7wPBAMucnS0g2nbeMLKH1PPGjvBXjsdrvDUJ50w9CyvQ0dOqBb2Kdx0aEvmxCfCy/xLbkYPE6t/LGjVHUJFySVs4SjWhR4sLxzkxuTRSA3kq+2woobOfzIUSqOsO035SYiOYynQf2QcfodYZgT4U2KVsflUHR6Zk/iiTIh0+t1y0cMioFHkkHM8NDdjnYHToNhAP67GrulM/nAsTiMuAW4ElX/MomWAFngKmJvDqo8oKVWXY</CipherValue>
  46.             </CipherData>
  47.         </EncryptedData>
  48.     </connectionStrings>
  49.     <system.web>
  50.         <!-- 
  51.             Set compilation debug="true" to insert debugging 
  52.             symbols into the compiled page. Because this 
  53.             affects performance, set this value to true only 
  54.             during development.
  55.         -->
  56.         <compilation debug="false" />
  57.         <!--
  58.             The <authentication> section enables configuration 
  59.             of the security authentication mode used by 
  60.             ASP.NET to identify an incoming user. 
  61.         -->
  62.         <authentication mode="Windows" />
  63.         <!--
  64.             The <customErrors> section enables configuration 
  65.             of what to do if/when an unhandled error occurs 
  66.             during the execution of a request. Specifically, 
  67.             it enables developers to configure html error pages 
  68.             to be displayed in place of a error stack trace.
  69.  
  70.         <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
  71.             <error statusCode="403" redirect="NoAccess.htm" />
  72.             <error statusCode="404" redirect="FileNotFound.htm" />
  73.         </customErrors>
  74.         -->
  75.     </system.web>
  76. </configuration>

for bringing the configuration file to its original state then run the following method

  1. public void DecryptConnString()
  2.     {
  3.         Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
  4.         ConfigurationSection section = config.GetSection("connectionStrings");
  5.         if (section.SectionInformation.IsProtected)
  6.         {
  7.             section.SectionInformation.UnprotectSection();
  8.             config.Save();
  9.         }
  10.     }

About the author:

Planet Source Code is a place for all developer providing free source codes, articles, complete projects,complete application in PHP, C/C++, Javascript, Visual Basic, Cobol, Pascal, ASP/VBScript, AJAX, SQL, Perl, Python, Ruby, Mobile Development



planetsourcecode's picture

Article by planetsourcecode

planetsourcecode has submitted source code / articles.

If you like This post, you can follow SourceCodester on Twitter.

Subscribe to SourceCodester feed via RSS or EMAIL to receive instant updates.

Add new comment

More information about text formats

Filtered HTML

  • You may insert videos with [video:URL]
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <asp>, <c>, <cpp>, <csharp>, <css>, <html4strict>, <java>, <javascript>, <mysql>, <php>, <python>, <sql>, <vb>, <vbnet>. The supported tag styles are: <foo>, [foo].
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.