Re: Web.config encryption in shared hosting scenario

---

• From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 13 Jun 2007 14:55:32 +0000 (UTC)

---

You can do it programmatically.

Open the config using WebConfigurationManager, get the section using GetSection(), and call Protect() on the SectionInformation you get back.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hello Jazza,

I saw your post because I have a similar problem.

I just begin to search for a solution because the customer does not
allow access to the web server where my application has to be
deployed. I would like to encrypt the database connection string
located in the web.config.

Did you found a solution to this problem? Thanks

Sincerly,
Adriano
"Jazza" <Jazza@xxxxxxxxxxxxxxxxxxxxxxxxx> a écrit dans le message de
news: 5D099CD8-E572-41F5-A45B-3FDA3A3A1A3B@xxxxxxxxxxxxxxxx

Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.

I have been using the Personal Web Site Starter Kit and have
successfully
uploaded the site to a shared hosting provider. I am connecting to
the SQL
database via SQL authentication rather than Windows authentication,
as I
have
no control over the Windows user accounts. This means the SQL user
name
and
password are in clear text in the connection string in web.config.
Therefore, best practice dictates that I encrypt the web.config file
to
hide
the SQL login details. But the only way to encrypt a section of the
config
file is to run aspnet_regiis.exe on the server, to which I have no
access.
What are my options, if any, for protecting my config file? Does
anyone
know
of any resources on how to create a custom encryption scheme?
Regards,

Jazza

.

---

• References:
  • Re: Web.config encryption in shared hosting scenario
    • From: Adriano Labate

• Prev by Date: Re: Web.config encryption in shared hosting scenario
• Next by Date: Connecting the web application with AD and Form Authentication
• Previous by thread: Re: Web.config encryption in shared hosting scenario
• Next by thread: Connecting the web application with AD and Form Authentication
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Windows App .NET 2.0: Encryption of Connection Strings ... no special privileges are needed, besides write access to the config file ... CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt" ... > 3) I guess that I protect all kinds of configuration sections? ... >> Hello Henrik, ... (microsoft.public.dotnet.security) Re: Help Encrypting Connection String ... the tool you are referring to is called aspnet_setreg - it uses DPAPI to encrypt the section and places it into web.config - the config file then refers to the reg key. ... You can also use the Ent Lib cryptography block to encrypt and decrypt arbitrary strings, so that will certainly work for what you want to do. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Encrypt values for a key in appsettings ... Actually i need to encrypt only the password fields and decrypt the ... TripleDESCryptoServiceProvider to encrypt the password. ... Key can be placed in config file. ... You don't have to decrypt the data when using the ProtectSection ... (microsoft.public.dotnet.languages.csharp) Re: HELP: SQL 2000 Queries are 3 times Slower on DUAL XEON vs DUAL PIII ... >hardware 1 config below) running from the SQL Server Query Analyzer. ... (microsoft.public.sqlserver.server) Re: HELP! ... You could try using the sa account to connect to the config DB. ... SQL expert at all but I seem to remember not being able to access some db's ... sa is god. ... (microsoft.public.sharepoint.portalserver)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)