Reputation: 1143
Securing database connection strings
I'm looking for some suggestions and best practice advices related to storing and securing database connection strings. App.config seems to be the Microsoft prefered way of handling application configuration, but I've had some troubles in the past working with it - or I just don't understand the philosophy behind.
The first thing that seems obvious to me is: Never store connection information in plaintext. App.config however, is always plaintext. The only way to avoid storing human readable information in App.config seems to be Protected Configuration.
But again, a big however: If one does deploy an application, the configuration will be deployed in plaintext - encryption (without the help of some tools) seems only possible when the application first starts.
This doesn't seem secure to me, because if someone checks out the application directory (where the configuration is stored) before running the application for the first time, he receives a lot of sensitive information in plain text.
Also: How can I secure the configuration in an application running as an unprivileged, default user? AFAIK saving application settings requires admin rights.
Did Microsoft really thought that out? Or does Microsoft provides a different way?
Upvotes: 1
Views: 1351
Answers (1)
Reputation: 4650
You can easily encrypt configuration sections in web.config,
it looks like this
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>R7cyuRk+SXJoimz7wlOpJr/YLeADGnwJVcmElHbrG/B5dDTE4C9rzSmmTsbJ9Xcl2oDQt1qYma9L7pzQsQQYqLrkajqJ4i6ZQH1cmiot8ja7Vh+yItes7TRU1AoXN9T0mbX5H1Axm0O3X/285/MdXXTUlPkDMAZXmzNVeEJHSCE=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>d2++QtjcVwIkJLsye+dNJbCveORxeWiVSJIbcQQqAFofhay1wMci8FFlbQWttiRYFcvxrmVfNSxoZV8GjfPtppiodhOzQZ+0/QIFiU9Cifqh/T/7JyFkFSn13bTKjbYmHObKAzZ+Eg6gCXBxsVErzH9GRphlsz5ru1BytFYxo/lUGRvZfpLHLYWRuFyLXnxNoAGfL1mpQM7M46x5YWRMsNsNEKTo/PU9/Jvnh/lT+GlcgCs2JRpyzSfKE7zSJH+TpIRtd86PwQ5HG3Pd2frYdYw0rmlmlI9D</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
take a look here > You dont need a tool to un encrypt it, this can be easily done in code and is a common practise.
Upvotes: 1
Related Questions
- Connection String Security C#
- how to secure connectionString
- Securing a ConnectionString
- Is it really possible to protect a connection string in app. config?
- Protect connection string. LInq to sql
- SQL Connection String Security
- SQL Connection string for asp.net
- How to secure multiple connection strings in an application
- How secure the user name and password in the connection string?
- How to secure connection string in vb.net 2008?