Re: Encrypting Connection String

From: th (th@rmsexxxcf.remove-xxx-and-this.cxxxom)
Date: 12/29/02


From: "th" <th@rmsexxxcf.remove-xxx-and-this.cxxxom>
Date: Sun, 29 Dec 2002 23:23:45 +0100


This article will tell you about several possibilitys to store connection secrets.
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp?frame=true)

This one shows how to secure your ASP.NET app, as used in the OpenHack - competition.
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp?frame=true)

"paul reed" <prreed@jacksonreed.com> wrote in message news:O$kjsuvrCHA.720@TK2MSFTNGP12...
> I currently keep my connection string in web.config as clear text. Prior to
> going to production I want to encrypt this string and then after retrieving
> it at app startup I want to decrypt it.
>
> I don't want to use the registry to store the encryption key or the
> encrypted string...there are many suggestions out there but all point to the
> evils of having to store the encrypt key somewhere (so you can decrypt the
> connection string at a latter time). One thread I found say to create a
> one-way hash...but of course no sample code along with that suggestion.
>
> Can anyone point me in the right direction. I have checked all the sample
> MSDN applications (Duwamish, etc...) and they all say, "...now in a real
> application, you should encrypt either the whole connection string or at
> least the password"...so they offer no code to do this.
>
> What is the best approach?
>
> Thanks in advance.
>
>



Relevant Pages

  • X509Certificate hell!
    ... a hash must be generated and signed. ... Encrypt the connection string and store this in the Windows registry in a binary value using the certificate public key. ...
    (microsoft.public.dotnet.security)
  • Re: Encrypting Connection String
    ... > This article will tell you about several possibilitys to store connection ... >> I currently keep my connection string in web.config as clear text. ... >> evils of having to store the encrypt key somewhere (so you can decrypt ... >> one-way hash...but of course no sample code along with that suggestion. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Encrypting connection string in app.config
    ... Is there anyway to encrypt the connection string using an algorithm which is ... FIPS 140-2 certified, and then store the key in a FIPS 140-2 certified ...
    (microsoft.public.dotnet.security)
  • Re: encrypt string in the Web.Config file
    ... If you encrypt the connection string, later you will only have to decrypt ... Which means somewhere you will need to store the key, ... you apply the same hash ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Encryption of Connection String
    ... I currently keep my connection string in web.config as clear text. ... I don't want to use the registry to store the encryption key or the ... evils of having to store the encrypt key somewhere (so you can decrypt the ... one-way hash...but of course no sample code along with that suggestion. ...
    (microsoft.public.sqlserver.security)