Reputation: 221
Where should I store sensitive variables?
This is my first time working on a secure website. It's for a pet project I have.
For security purposes, where is it best to store information like SQL connection strings, database encryption keys, etc? Is it better to use web.config, store them in a class that accesses a database (like dataBaseHelper.cs or something), or somewhere else?
I intend to obtain an SSL cert as well. When communicating with the database, should I always use the secure connection?
Upvotes: 8
Views: 430
Answers (3)
Reputation: 221
I found an article that will help solve the problem about whether or not this can be done on a server hosting my site. Just googled based off the answers you guys gave above. Worked pretty well.
http://sharpertutorials.com/webconfig-encryption/
Thanks for the help and direction.
Upvotes: 0
Reputation: 11303
Depending on the app, it's generally best-practice to use a KMS to store encryption keys. If a KMS is not available because of budget constraints or whatever, Key Containers are the next best option. Once your key is protected you can store variables either in encrypted sections of the config file as suggested, or as encrypted byte arrays in the assembly itself.
Upvotes: 1
Reputation: 11263
Check Encrypting sections of config files section on MSDN.
Upvotes: 10
Related Questions
- What is the best way to make string variables accessible entire project
- Where to store string constants in my ASP.NET MVC app?
- ASP Classic secure and performance practice for storing global information
- Where in code should one keep data that doesn't change?
- What to care to secure ASP.NET session variables
- Where to store data in order to avoid database hitting?
- ASP.NET - protected variable
- How to: Pass sensitive values Between ASP.NET Web Pages?
- Security and Global variable
- Where is the best place to store user related data in asp.net?