Secure methods of storing keys, passwords for asp.net

2
votes

What is the best practice for storing keys, and or passwords for a website. These keys are for various 3rd party web services. Is it best to have them in the Web.config file, or in the database, or encrypted somehow?

3
security

3 Answers

4
votes

You can store the encrypted values in the .config file, and ASP.NET 2.0 will decrypt them on the fly.

Your configuration would look something like:

<configSections>
   <section 
      name="sampleSection" 
      type="System.Configuration.SingleTagSectionHandler" 
   />
</configSections>

<MySecrets
   FavoriteMusic="Disco" 
   FavoriteLanguage="COBOL" 
   DreamJob="Dancing in the opening ceremonies of the Olympics" 
/>

and then you run the following from a command line, in the same directory as your config file:

aspnet_regiis -pef MySecrets .

From K. Scott Allen:

http://odetocode.com/Blogs/scott/archive/2006/01/08/2707.aspx

3
votes

Assuming your database isn't accessible from the outside world or that you have it properly locked down that would be the preferred way to store the keys. This allows all of your applications to pull from the same store of keys/passwords making changes very quick and easy.

2
votes

Depends on how often the values change. If they will never change then I would keep them in your source code.

I would stay away from storing data that changes in the Web.Config because changing it forces a restart of the App pool.

My vote would be to store them, encrypted, in the database and provide an easy way for the values to be changed (e.g. store values in the cache and refresh them when they are altered by a user).