Reputation: 1922
What is the best practice for storing database connection details in .NET?
This might be a duplicate (question) but I am looking specifically for the .NET best practice.
How to store database connection strings, username and password etc. in a safe way? Is an encrypted app.config best in most cases?
I would also like to be able to set the password in the config file and then have it encrypted as soon as the application starts. (I am not asking for a solution as I have solved this before, I'm just looking for best practise(s)).
I'm also interested in alternative solutions that you have good experiences with.
Upvotes: 14
Views: 5361
Answers (5)
Reputation: 91
Use app.config or web.config to encrypt sensitive sections. .NET provides utilities for this. If you're working with various databases and want advanced connection features, dotConnect by is an excellent choice. I have tried it myself. It offers enhanced security and performance for database operations in .NET. For the parts of your application using ODBC, ODBC Driver is a robust solution that ensures safe and efficient connectivity.
Upvotes: 0
Reputation: 729
Something that I have found to be useful lately, is Microsoft's Single Sign On service. If you need to use SQL Authentication, you can store the actual credentials in an encrypted database.
Upvotes: 0
Reputation: 10681
That would be web.config. You can encrypt the connection string if secrity is a concern.
Upvotes: 1
Reputation: 5582
There are several things that we should know about protecting connection strings: http://msdn.microsoft.com/en-us/library/89211k9b.aspx
In my view the best way to store them (the one that combines flexibility and security) is "Encrypting Configuration File Sections Using Protected Configuration": http://msdn.microsoft.com/en-us/library/ms254494.aspx
Upvotes: 4
Reputation: 6450
I think the best practice is to use integrated security if possible, for 2 reasons... It is the easiest solution to manage and it is the easiest solution to get right.
If for some reason you can't use integrated security and you have to use username and password encrypt them using something like the Enterprise Library's Config Manager to encrypt sections of your web.config.
Upvotes: 6
Related Questions
- storing database connection in application
- Storing Connection String on Database
- How can I safely store and access connection string details?
- What is the best way to store connection string in .NET DLLs?
- Best way to set up the connection setting
- How do I manage connection strings and credentials for a DB in C#?
- What is the best practices to store database connection related information?
- Where do you store your database connectionstring?
- Storing db connection strings
- How to securely store database connection details