First, you are not encrypting the password, nor are you protecting it. after all you can "decompile" your dll using tools like decompiler
If you want to protect your sensitive data, you should move the content of the section appSettings and connectionStrings to a separate file using the attribute file and configSource respectively.
The example below is taken from the following link: Best practices for deploying passwords and other sensitive data to ASP.NET and Azure App Service
<connectionStrings>
<add name="ControleBD" connectionString="Data Source=NewSource;Initial Catalog=NewCatalog;UID=NewUser;password=NewPassword" providerName="System.Data.SqlClient" />
</connectionStrings>
<appSettings>
<!-- Informação Sensivel -->
<add key="serviceAccount" value="account" />
<add key="servicePassword" value="my password" />
<!-- Informação Não Sensivel-->
<add key="Versao" value="1.2.3.4" />
</appSettings>
in this case, you can create two files, one for the connection string and the other for the settings.:
\app.config or web.config
<connectionStrings configSource="\App_Configs\connectionStrings.config">
<add name="ControleBD" connectionString="Data Source=NewSource;Initial Catalog=NewCatalog;UID=NewUser;password=NewPassword" providerName="System.Data.SqlClient" />
</connectionStrings>
<appSettings file="\App_Configs\appSettings.config">
<add key="Versao" value="1.2.3.4" />
</appSettings>
\App_configs connectionStrings.config
<connectionStrings>
<add name="ControleBD" connectionString="Data Source=NewSource;Initial Catalog=NewCatalog;UID=NewUser;password=NewPassword" providerName="System.Data.SqlClient" />
</connectionStrings>
\App_configs appSettings.config
<appSettings>
<add key="serviceAccount" value="account" />
<add key="servicePassword" value="my password" />
</appSettings>
Then you should limit access to these two files.
Now if you want to encrypt a section of web.config, then make use of aspnet_regiis.exe, to know where it is located, open the Command Prompt of your Visual Studio and type where aspnet_regiis, in my case it is located in:
%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
then run the aspnet_regiis passing on the following arguments:
aspnet_regiis -pef "connectionStrings" 'Path Completo para o diretorio com o web.config'
To learn more about the aspnet_regiis, access the link: Ferramenta de registro ASP.NET IIS (Aspnet_regiis.exe)
Remembering that if your configuration file has a different name than web.config, you should rename it to web.config. and if you wish to maintain the connectionStrings in a separate file, you must move it after encrypting the section.
Decrypt the password loses the sense of having encrypted. Your problem is another.
– Maniero
The usual is to encrypt only user and password, decrypt and use in Runtime. You are encrypting the entire Connection string, which can make it difficult to reconfigure the environment (server change, for example). And why are you updating the connection string in the Runtime configuration file?
– Caffé
Gives a studied in this article: Security Considerations (Entity Framework).
– Caffé
@Caffé thanks for the link, great article.
– Tobias Mesquita
the part of cryptography I did not put in this code snippet, the function would be in the assignment of the third line. My need would just be to hide this kind of information from a simple user.
– Gabriel I.Borba