Reputation: 2066
ConnectionString not encrypted in SSIS integration project
I am building an Integration Services Project in VS 2019.
I have added a Project Connection Manager for an OLE DB/SQL Server.
I have configured the connection string using project parameters. (Project.params file).
Then I changed the project parameter to use "Configurations", in order to apply different values based on the active configuration.
In the Project Property settings, the protection level is set to "EncryptSensitiveWithUserKey".
However, if I examine the .dtproj file, both connection strings (Dev and "Azure") are stored unencrypted. This is a concern, as I want to be able to include the .dtproj file in a repository.
Am I doing something wrong? If it's not possible this way, how else can I securely "save" two connection strings in the project for different configurations?
Upvotes: 3
Views: 958
Answers (1)
Reputation: 37313
As the protection level is set to EncryptSensitiveWithUserKey, you should configure the project parameters as Sensitive. To do so, click on the Project.params file in the "Solution Explorer"
Then, set the parameter as sensitive. The parameter value will be masked immediately as shown in the image below:
Also, let us check the project.params file in the solution directory.
If we open the file using a text editor, we can check that the parameter value is encrypted.
Update
As the OP mentioned in the comments, setting the connection string parameter as sensitive led to the following exception:
The expression will not be evaluated because it contains sensitive parameter variable "$Project::ConnectionString". Verify that the expression is used properly and that it protects the sensitive information. ".
Based on the following Microsoft Tech community article:
This behavior is by design. The best practices approach to storing the connection information in SSIS is not to store the entire connection string inside of one variable but to separate out the individual pieces (username, password, server, etc.). This makes configuration easier within environment variables as well.
This means that we should configure the ConnectionString as non-sensitive while adding a separate sensitive parameter for each connection string part we want.
Helpful links:
- SSIS: Setting the same variable in multiple projects in the catalog
- SSIS Project Deployment Model: assign sensitive parameter to a project connection string
- Cannot use a sensitive project parameter on SSIS 2012
Upvotes: 1
Related Questions
- SSIS Package unable to connect DB when disable TLS 1.0
- encrypt SQL connectionstring c#
- How to deploy SSIS project with encrypted data?
- SSIS: Configuration of Dynamic Connection String Integrated Security Mode
- SSIS password stripped from connection string in database configuration
- Load SSIS package using Application.LoadFromSqlServer() with an encrypted connection string
- Encrypt SQL Server connection string
- Passing connection string from C# to SSIS package
- SSIS and Passwords
- How to encrypt Sql connection string?