Re: Encrypting Connection String

From: Max Favilli - Dammela.it (max@dammela.it)
Date: 01/01/03 

From: "Max Favilli - Dammela.it" <max@dammela.it>
Date: Wed, 1 Jan 2003 06:40:11 -0800

Maybe silly but... Does it mean it's possible to see the web.config file?
Even if IIS should never serve it, as mentioned in the documentation?
I thought that was something I could trust...

Max

"th" <th@rmsexxxcf.remove-xxx-and-this.cxxxom> wrote in message
news:#yOWbe4rCHA.1776@TK2MSFTNGP09...
> This article will tell you about several possibilitys to store connection
secrets.
>
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch12.asp?frame=true)
>
>
>
> This one shows how to secure your ASP.NET app, as used in the OpenHack -
competition.
>
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/openhack.asp?frame=true)
>
> "paul reed" <prreed@jacksonreed.com> wrote in message
news:O$kjsuvrCHA.720@TK2MSFTNGP12...
> > I currently keep my connection string in web.config as clear text. Prior
to
> > going to production I want to encrypt this string and then after
retrieving
> > it at app startup I want to decrypt it.
> >
> > I don't want to use the registry to store the encryption key or the
> > encrypted string...there are many suggestions out there but all point to
the
> > evils of having to store the encrypt key somewhere (so you can decrypt
the
> > connection string at a latter time). One thread I found say to create a
> > one-way hash...but of course no sample code along with that suggestion.
> >
> > Can anyone point me in the right direction. I have checked all the
sample
> > MSDN applications (Duwamish, etc...) and they all say, "...now in a real
> > application, you should encrypt either the whole connection string or at
> > least the password"...so they offer no code to do this.
> >
> > What is the best approach?
> >
> > Thanks in advance.
> >
> >
>
>

Relevant Pages

  • X509Certificate hell!
    ... a hash must be generated and signed. ... Encrypt the connection string and store this in the Windows registry in a binary value using the certificate public key. ...
    (microsoft.public.dotnet.security)
  • Re: Encrypting Connection String
    ... This article will tell you about several possibilitys to store connection secrets. ... > I currently keep my connection string in web.config as clear text. ... > going to production I want to encrypt this string and then after retrieving ... > one-way hash...but of course no sample code along with that suggestion. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Encrypting connection string in app.config
    ... Is there anyway to encrypt the connection string using an algorithm which is ... FIPS 140-2 certified, and then store the key in a FIPS 140-2 certified ...
    (microsoft.public.dotnet.security)
  • Re: Encryption of Connection String
    ... Do you know what level of encryption IS applied to the connection string? ... > to the SQL Server via SQL authentication the password is only ... Thus you might have made all this effort to encrypt the ... > Authentication is always the preferred option unless you are using ...
    (microsoft.public.sqlserver.security)
  • ConnectionString encryption decryption
    ... Decrypt function used to encrypt and decrypt the connection string pass to ... at System.EnterpriseServices.Thunk.Proxy.CoCreateObject(Type serverType, ...
    (microsoft.public.dotnet.general)