Encryption of connection strings in Web.config c#

Question

I have a Web API in .NET Framework in which right now UID and Password are present as plain text in connection strings. Instead of the plain text, I want these values as encrypted in Web config because of the security scans.

Connection strings in the plain text:

<connectionStrings>
    <add name="DataConnection1" connectionString="Data Source=server1;Initial Catalog=db1;Integrated Security=True" providerName="System.Data.SqlClient" />
    <add name="DataConnection2" connectionString="Data Source=server1;Initial Catalog=db2;Integrated Security=True" providerName="System.Data.SqlClient" />
    <add name="DataConnection3" connectionString="Data Source=server2;Initial Catalog=db123;UID=usn;PWD=password@123" providerName="System.Data.SqlClient" />
</connectionStrings>

I did a research regarding the encryption of the connection strings. And one of the ways is to use ASPNET_REGIIS utility. But due to some access related constraints on the server where application is deployed I cant use RsaProtectedConfigurationProvider.

Just wanted help to find out some other ways to encrypt the connection strings of web config.

Answer 1

You do not have to use the RsaProtectedConfigurationProvider. There are some alternatives, mainly the DpapiProtectedConfigurationProvider (Specify a Protected Configuration Provider).

It is also possible to protect the config programmatically (ProtectSection):

Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
ConfigurationSection connectionStrings = config.GetSection("connectionStrings");
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
config.Save(ConfigurationSaveMode.Full);

If you are experiencing problems using the *.ProtectedConfigurationProvider with Administrator privileges, have a look here: Web.config encryption as normal user