Encrypt or Decrypt Connection Strings in Web.Config file

 

Generally in Asp.Net application we will store connection strings in web.config file, but we mention the authentication information of database(user id and password) and database name in plain text format which is readable as shown below.

 

<connectionStrings>

 

    <addname="DBConnectionString"connectionString="Data Source=(local);Initial Catalog=testDB;User ID=sa;Password=dlog24" />

 

  </connectionStrings>

 

Placing the sensitive information like username, password and DB details in plain text is not good practise because it is security concern. Hackers will try to find out the DB connection string by injecting some errors into application. If hacker finds the DB connection string , he can do any operation like data modification, data deletion or data insertion on database.

 

To avoid this security concern asp.net runtime provides the approach to encrypt the connection string to store in web.config and decrypt the connection string while connecting to the database from application.

 

To encrypt the connection string, asp.net runtime aspnet_regiis.exe provides different protection providers. Here we use the one of the built-in providers RSAProtectedConfigurationProvider.

 

We can encrypt the connection string in web.config file as shown below.

 

protected void btnEncrypt_Click(object sender, EventArgs e) 

{

     EncryptConnectionString("RSAProtectedConfigurationProvider"); 

}

 

private void EncryptConnectionString(string provider) 

{ 

 

       string path = Request.ApplicationPath;

 

       Configuration confg = WebConfigurationManager.OpenWebConfiguration(path);

 

        ConfigurationSection configSect = confg.GetSection("connectionStrings");

 

        if (configSect != null && !configSect.SectionInformation.IsProtected)

        { 

            configSect.SectionInformation.ProtectSection(provider);

 

            confg.Save();

 

        } 

}

 

As shown above first we are reading the connection string from web.config file and after encrypting the connection string we are saving back that encrypt value in web.config by using RSAProtectedConfigurationProvider protection provider. Here we are encrypting the connection string if it is in plain text format by using IsProtected property of ConfigurationSection.

 

After encryption the connection string value look like below.

 

<connectionStringsconfigProtectionProvider="RsaProtectedConfigurationProvider">

 

    <EncryptedDataType="http://www.w3.org/2001/04/xmlenc#Element"

 

      xmlns="http://www.w3.org/2001/04/xmlenc#">

 

      <EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

 

      <KeyInfoxmlns="http://www.w3.org/2000/09/xmldsig#">

 

        <EncryptedKeyxmlns="http://www.w3.org/2001/04/xmlenc#">

 

          <EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

 

          <KeyInfoxmlns="http://www.w3.org/2000/09/xmldsig#">

 

            <KeyName>Rsa Key</KeyName>

 

          </KeyInfo>

 

          <CipherData>

 

            <CipherValue>Mg/rS3f7pM1C1uJUIyOa1nWtHTB7fcydLiHBwFfj/p1TKJmJVCFV3jLoIdAZRBTT/wf63cIo4MmYkDmXr5

                                   1rTw64kbfXVFTizc6cGlqJouiiAyiULVrqShrcrKJH/qhv1an9iA3rnEUZjO6TNFwAPz7ge8nuJU9340tJQcOO06Q=

             </CipherValue>

 

          </CipherData>

 

        </EncryptedKey>

 

      </KeyInfo>

 

      <CipherData>

 

         <CipherValue>CKj/piTdKOZ6J5nXLHKCaYmc/FMQCgMRzSJcBL8tlomMRF74pcRq1kEDZ1DiEK2CL4

                          bidHT6liXJmlKH/98dFAy/dGOFm33Kwl+cMlM83HmNCSsU1VxocbEROxFo2YKTL2SdUsPbRohMrePN1/nyDbk5YPF0csD

                           sYa79X7JAX3ltK6sVjk4sVXaQhaKQI1XZkkNIKA7QRoSk2U00a2sGNojV9hAot5u/oVLa7+grtVGRCn3AJMVKWg==

        </CipherValue>

 

      </CipherData>

 

    </EncryptedData>

 

  </connectionStrings>

 

As shown above the connection string is in encrypted format which is not readable.

 

We have to decrypt the connection string while connecting to database. Decrypt the connection string by using UnprotectSection() method of ConfigurationSection as shown below.

 

protected void btnDecrypt_Click(object sender, EventArgs e) 

{ 

 

       DecryptConnectionString(); 

}

 

private void DecryptConnectionString() 

{

 

        Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

 

        ConfigurationSection configSect = config.GetSection("connectionStrings");

 

        if (configSect.SectionInformation.IsProtected) 

        {

 

            configSect.SectionInformation.UnprotectSection();

 

            config.Save(); 

        } 

}

 

After decrypting the connection string it will look like below.

 

  <connectionStrings>

 

    <addname="DBConnectionString"connectionString="Data Source=(local);Initial Catalog=testDB;User ID=sa;Password=dlog24" />

 

  </connectionStrings>

 

In this way we can encrypt and decrypt the connection string in web.config file. You need to open visual studio with admin permissions because you are saving information in web.config file.

                                                                                                                           EncryptConnectionString.zip (3.30 kb)

tags:

encrypt connection strings, encrypt connection strings in web.config, encrypt decrypt configuration section, encrypt decrypt connection strings in asp.net, encrypt decrypt connection strings in web.config
Microsoft Visual Studio 2022 Promo Code
Latest News
Latest TechTips
Latest Posts
Categories