Re: Encrypting Connection String

From: Max Favilli - Dammela.it (max@dammela.it)
Date: 01/01/03 

From: "Max Favilli - Dammela.it" <max@dammela.it>
Date: Wed, 1 Jan 2003 06:40:11 -0800

Maybe silly but... Does it mean it's possible to see the web.config file?
Even if IIS should never serve it, as mentioned in the documentation?
I thought that was something I could trust...

Max

"th" <th@rmsexxxcf.remove-xxx-and-this.cxxxom> wrote in message
news:#yOWbe4rCHA.1776@TK2MSFTNGP09...
> This article will tell you about several possibilitys to store connection
secrets.
>
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch12.asp?frame=true)
>
>
>
> This one shows how to secure your ASP.NET app, as used in the OpenHack -
competition.
>
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/openhack.asp?frame=true)
>
> "paul reed" <prreed@jacksonreed.com> wrote in message
news:O$kjsuvrCHA.720@TK2MSFTNGP12...
> > I currently keep my connection string in web.config as clear text. Prior
to
> > going to production I want to encrypt this string and then after
retrieving
> > it at app startup I want to decrypt it.
> >
> > I don't want to use the registry to store the encryption key or the
> > encrypted string...there are many suggestions out there but all point to
the
> > evils of having to store the encrypt key somewhere (so you can decrypt
the
> > connection string at a latter time). One thread I found say to create a
> > one-way hash...but of course no sample code along with that suggestion.
> >
> > Can anyone point me in the right direction. I have checked all the
sample
> > MSDN applications (Duwamish, etc...) and they all say, "...now in a real
> > application, you should encrypt either the whole connection string or at
> > least the password"...so they offer no code to do this.
> >
> > What is the best approach?
> >
> > Thanks in advance.
> >
> >
>
>

Relevant Pages

  • X509Certificate hell!
    ... a hash must be generated and signed. ... Encrypt the connection string and store this in the Windows registry in a binary value using the certificate public key. ...
    (microsoft.public.dotnet.security)
  • Re: Encrypting Connection String
    ... This article will tell you about several possibilitys to store connection secrets. ... > I currently keep my connection string in web.config as clear text. ... > going to production I want to encrypt this string and then after retrieving ... > one-way hash...but of course no sample code along with that suggestion. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Encrypting connection string in app.config
    ... Is there anyway to encrypt the connection string using an algorithm which is ... FIPS 140-2 certified, and then store the key in a FIPS 140-2 certified ...
    (microsoft.public.dotnet.security)
  • Re: Encryption of Connection String
    ... Do you know what level of encryption IS applied to the connection string? ... > to the SQL Server via SQL authentication the password is only ... Thus you might have made all this effort to encrypt the ... > Authentication is always the preferred option unless you are using ...
    (microsoft.public.sqlserver.security)
  • Re: encrypt string in the Web.Config file
    ... If you encrypt the connection string, later you will only have to decrypt ... Which means somewhere you will need to store the key, ... you apply the same hash ...
    (microsoft.public.dotnet.framework.aspnet.webservices)