Encrypting only Passwords in web.config ASP.NET

Question

How can I encrypt only passwords in a web.config file?

<add name="PSystem" connectionString="Server=test;Database=Dev;User ID=testuser;Password=password@123;Trusted_Connection=False;Encrypt=True;" providerName="System.Data.SqlClient" />

Answer 1

To encrypt configuration file contents, use the Aspnet_regiis.exe tool with the –pe option and the name of the configuration element to be encrypted.

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"

Source: http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx

Answer 2

you can try using flags in the connecction string as follows:

<add name="PSystem" 
 connectionString="Server=test;
                   Database=Dev;
                   User ID=@UserID@;
                   Password=#Password#;
                   Trusted_Connection=False;
                   Encrypt=True;" 
  providerName="System.Data.SqlClient" />

then you can have the encrypted user and password as follows:

<add key="DB_User" value = [Encrypted Username]>
<add key="DB_Password" value = [Encrypted Password]>

Then in code you just replace the flags:

string _connectionString = ConfigurationManager.ConnectionStrings["PSystem"].ConnectionString;

string user = Decrypt(ConfigurationManager.AppSettings["DB_User"]);
string password = Decrypt(ConfigurationManager.AppSettings["DB_Password"]);

_connectionString = _connectionString.Replace("##User##", user).Replace("##Password##", password);

Answer 3

I believe that built-in encryption mechanisms work on the entire connectionString section:

See this website for more info

If you would like to encrypt in-memory passwords, maybe entered by the user through a login form, you could use SecureString