Encrypt Web.config

Asked

Viewed 1,863 times

8

I come here with a question about ConnectionStrings of Web.config.

Seeing that normally, we inform a form of authentication on ConnectionStrings for the application to access the database. And by default, anyone who can gain access to the server where the application is installed will have access to the database through the data contained in ConnectionStrings.

I know how to encrypt using the aspnet_regiis, for those who do not know, a short tutorial can be seen here. But in the same way that the data will be "encrypted", just use the same command, only changing the parameter that will have the data "decrypted" again.

On that basis comes my doubt: How to encrypt the ConnectionStrings. of Web.config to hide database access data?.

  • Do you use any ORM to connect to the database?

  • @jbueno In this case would be with EF, but would fit with Dapper tbm.

1 answer

7


The ideal is not to depend on this information, it would be better to have the authentication done by other more secure mechanisms, such as the Integrated Security. Having said that, let us go to the solution requested:

Basically will use the utility aspnet_regiis.exe. He stays in the directory C:\Windows\Microsoft.NET\Framework\vX.Y.ZZZZZ. Do not forget that you must have administrator privilege to run it. Example of use:

aspnet_regiis -pef "connectionStrings" "c:\diretorio\Web.config"

There is no miracle. Encryption does not guarantee anything if you need it that can easily be decrypted. You could provide a custom form of encryption but you’d need to have a key and an algorithm to decrypt it. If anyone has access to your Web.config you will probably have your application which will contain both and will be decrypted. Then you better let the operating system and the database handle this. They will do a better job though a fully compromised server can give you access to anything.

But if he can only read your file Web.config it will not be able to do much already outside the computer where it was encrypted it will not be possible to revert to the original state. This encryption is dependent on the environment where it is made. That is why it is no use for you to do it on your development machine and copy it to the production machine. Encryption must be done on the production machine always. Only there can decrypt.

Documentation. More details.

  • 1

    This utility I know. However if someone has access to the file, you can use it again, just changing the -Pef for -pd, that achieves the original value. You would have some example or term for me to research about these other mechanisms that?

  • There is no miracle, so this form is not the best possible. Anyway only with the file will not decrypt, you need to do on the same machine or be able to reproduce the same conditions, which is virtually impossible. Use Integrated Security

  • This method I also know. Now that part of having the same conditions I was unaware of. So if I use the regis from my personal computer to encrypt, only if the computer has the same conditions that will be able to decrypt?

  • 1

    How I never used this I can’t guarantee, but it’s easy to find out, take a test. Then you tell me what you found :) I edited the answer to put more information, but remember that encryption alone does not solve all security problems.

  • Really, I tested it here and that’s exactly it. Well, I know it doesn’t solve everything I need, but I already have more security. Thanks for the help.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.