asp.net mvc 3 web.config connection string encryption

1
votes

I have to deploy an asp.net mvc 3 website and its web.config contains database credentials.

After searching for a while, I found that one could place the connection string in a .cs file in App_Data folder, but if database password is changed, then the site needs to be recompiled.

Also I got to this link: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA , but the page says that the content is not retired.

Can someone please tell the updated practices to encrypt the connection string information in the web.config file.

Thanks.

2
asp.net-mvc-3encryptionweb-configconnection-string
See asp.net/identity/overview/features-api/… which shows how to move the PW out of web.config - RickAndMSFT

2 Answers

2
votes

Using an encrypt/ decrypt method on the particular web.config file still seems to be the preferred practice Classic implementation programmatically I don't think the practices of encrypting web.config has updated with MVC, other than, obviously, you can't use an Event button to call the method as in the above example. You want to map the Encrypt/Decrypt methods to a controller action.

 public ActionResult Encrypt()
    {
      ProtectSection("connectionStrings", "RSAProtectedConfigurationProvider");

       return View();
    } 


private void ProtectSection(string sectionName,
                        string provider)   {
Configuration config =
    WebConfigurationManager.
        OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section =
             config.GetSection(sectionName);

if (section != null &&
          !section.SectionInformation.IsProtected)
{
    section.SectionInformation.ProtectSection(provider);
    config.Save();
}}
0
votes

To Encrypt Connection string in Web.Config files, We can follow these steps.

  • Open C:\Windows\System32\CMD.exe As Administrator

  • In CMD type CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319 In CMD type aspnet_regiis.exe -pef connectionStrings “Path of the Folder containing the Web.Config file”

    Ex: aspnet_regiis.exe -pef “connectionStrings” “D://PROJECTS/SAMPLE_PROJECT”

  • Set to identity impersonate false for project web.config

 <system.web>
 <identity impersonate="true" />
 </system.web>

For Decryption, you can use the below command.

  • Open C:\Windows\System32\CMD.exe As Administrator
  • In CMD type CD C:\Windows\Microsoft.NET\Framework64\v4.0.30319

  • In CMD type aspnet_regiis.exe -pdf “connectionStrings” “Path of the Folder containing the Web.Config file”

    Ex: aspnet_regiis.exe -pdf “connectionStrings” “D://PROJECTS/SAMPLE_PROJECT”

Give thubms up to my article