Introduction:
In this article I will explain how to encrypt or decrypt connectionStrings in web.config file using asp.net.
In this article I will explain how to encrypt or decrypt connectionStrings in web.config file using asp.net.
Description:
In Previous posts I explained lot of articles regarding Asp.net, SQL Server, Ajax, JavaScript etc. In many of articles I used connectionStrings section in web.config file to store database connection. The connectionStrings section contains sensitive information of database connections including username and password of database. Is it secured to store the sensitive information of database connections in plain text files called web.config and machine.config files?
In Previous posts I explained lot of articles regarding Asp.net, SQL Server, Ajax, JavaScript etc. In many of articles I used connectionStrings section in web.config file to store database connection. The connectionStrings section contains sensitive information of database connections including username and password of database. Is it secured to store the sensitive information of database connections in plain text files called web.config and machine.config files?
If
we are using applications in our internal servers with security then it’s ok if
we deploy our applications in shared host environment then we have chance to
arise security problems to avoid these problems asp.net 2.0 provided built in
protected configuration model functionality to encrypt or decrypt few sections
of web.config file those are
RSAProtectedConfigurationProvider: This is default provider and uses the RSA public key encryption
algorithm to encrypt and decrypt data.
DataProtectionConfgurationProvider: This provider uses
windows data protection application programming interface to encrypt and
decrypt the data.
The
encrypting and decrypting of connection strings in web.config file will do by
using aspnet_regiis.exe command line
tool and code behind.
First Method:
First
we will do encryption and decryption using aspnet_regiis.exe
command line tool in file system website
To
implement encryption and decryption first create one new website using visual
studio.
After
that open web.config file in
application and add sample db connection in connectionStrings section like this
<connectionStrings>
<add name="dbconnection" connectionString="Data Source=GohilRajni;Integrated Security=true;Initial
Catalog=MySampleDB"/>
</connectionStrings >
|
After
add dbconnection in connectionString check the below steps to encrypt or
decrypt the connection string in web.config.
1. 1) Go to Start >> All Programs
>> Microsoft visual studio 2008 >> Visual Studio Tools >>
Visual Studio 2008 Command Prompt (Note:
if you’re using windows 7 right click on command prompt and select Run as
administrator)
2. 2) After open command prompt type the
following command aspnet_regiis.exe -pef
"connectionStrings" "C:\VisualStudio2008\Authorization"
Here –pef indicates that the application is built as File System
website. Second argument connectionStrings
indicates that name of the configuration section needs to be encrypted. The
Third argument is the physical path of the folder where the web.config file is
located.
3. 3) After enter the command click enter
if everything goes well we will get success message like “Encrypting configuration section… Succeeded!”
Now
open your application and check connectionStrings
in web.config file that would be like this
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>ZNUbIEnOwlZzC8qbzHj5F2GS9gLYSkWCIgCJGkrgZAX8A+8oEIssyohhxUKvAubD3jizFc5IjbLGt7HNXhoFhXNTUPYz2y6tdKJDVgDmtCgVf8Z2C990zoMRBJG+VXhmgnlo1vtHYhGx8x/bBzE1prT1+xDpep98vHF22d+LrVI=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>tODWlPD0Q/B/mP14GQ/5tUxcjmhHcy9a0oPunV5osNrMQRztgi2h5V6sxJOEh+NC+G9gQNkv1huXf1s7eoZRRLy5/LDtLXzzqMUOqLSlJUs9igChvi33c9XG4rwGF15Tpn4N34bpQBt94n0rpSkQ18V9HCPzii+UO64PlA+ykDeQhc9aQr4gO3mCfUzmY2S9gsXzRbzdq0oCWBDvx8UkX2uDxaysVHC9Fo7u6IrlpU0+hOdK95Y3/A==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
|
Here
we don’t want to write any code to decrypt the encrypted connectionString in our application because .NET automatically
decrypts it. If we want to use the connection string just call it like normal
way
string strconnection = ConfigurationManager.AppSettings["dbconnection"].ToString();
|
Now
if we want to decrypt connectionStrings
section in web.config use the following command aspnet_regiis.exe -pdf "connectionStrings"
"C:\VisualStudio2008\Authorization"
After
command execute we will get message like “Decrypting
configuration section… Succeeded!”
Now
check your connctionStrings section
in your web.config file you will see decrypted connection string.
Till
now we learned how to encrypt and decrypt connectionStrings
section in File system website. If I
want to encrypt connection string in IIS
based site like i.e. Deployed
website for that we need to use the following commands
Encrypt connectionStrings in
web.config of IIS based site
aspnet_regiis.exe -pe
"connectionStrings" -app "/SampleWebSite"
Here
–pe indicates that the application
is built as IIS based site. Second argument connectionStrings is the name of configuration section needs to be
encrypted. The Third argument -app
indicates virtual directory and last argument is the name of virtual directory
where application is deployed.
Decrypt connectionStrings in
web.config of IIS based site
aspnet_regiis.exe -pd
"connectionStrings" -app "/SampleWebSite"
Till
now we learned how to encrypt and decrypt connectionStrings section in
web.config file using aspnet_regiis.exe command line tool now I will explain code behind method to encrypt and
decrypt the connection string section in web.config.
Second Method: In
second method I will use RSAProtectedConfigurationProvider and DataProtectionConfgurationProvider to encrypt and decrypt connectionStrings in web.config using
asp.net.
First
open Default.aspx page and write the
following code
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1"
runat="server">
<div>
<asp:Button id="btnEncrypt"
runat="server"
Text="Encrypt"
onclick="btnEncrypt_Click"
/>
<asp:Button ID="btnDecrypt"
runat="server"
Text="Decrypt"
onclick="btnDecrypt_Click"
/>
</div>
</form>
</body>
</html>
|
After
that open code behind page and add the following namespace references
using System;
using
System.Configuration;
using
System.Web.Configuration;
|
After
add namespaces write the following code in code behind
C# code
string provider = "RSAProtectedConfigurationProvider";
string section = "connectionStrings";
protected void Page_Load(object
sender, EventArgs e)
{
}
protected void btnEncrypt_Click(object
sender, EventArgs e)
{
Configuration confg = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection configSect =
confg.GetSection(section);
if (configSect != null)
{
configSect.SectionInformation.ProtectSection(provider);
confg.Save();
}
}
protected void btnDecrypt_Click(object
sender, EventArgs e)
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection configSect =
config.GetSection(section);
if
(configSect.SectionInformation.IsProtected)
{
configSect.SectionInformation.UnprotectSection();
config.Save();
}
}
|
0 comments :
Post a Comment