I want to encrypt the password in connection string. When I make a connection to DB the connection string is openly stored in App.config and I need to find a way to keep only password encrypted.
1
-
Please check out this link for encrypting the password in the config file: weblogs.asp.net/jongalloway/…Mustehsan Ikram– Mustehsan Ikram2011-04-02 11:36:50 +00:00Commented Apr 2, 2011 at 11:36
Add a comment
|
4 Answers
Lets say this is your connection string:
<connectionStrings>
<add name="cs" connectionString="Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=XXSDFASFDKSFJDKLJFDWERIODFSDFHSDJHKJNFJKSD;"/>
</connectionStrings>
Then you can do something like this:
string myCs = System.Configuration.ConfigurationManager.ConnectionStrings["cs"].ConnectionString;
System.Data.SqlClient.SqlConnectionStringBuilder csb = new System.Data.SqlClient.SqlConnectionStringBuilder(myCs);
csb.Password = EncDecHelper.Decrypt(csb.Password);
myCs = csb.ToString();
You can write EncDecHelper.Decrypt by using samples from here: Encrypt and decrypt a string
3 Comments
NDeveloper
But as I understand anyone can decrypt it back ... Besides I want just encrypt password.
HABJAN
@NDeveloper: i changed my answer, take a look.
erichste
I used the MySql version MySql.Data.MySqlClient.MySqlConnectionStringBuilder after seeing this post, worked great, thanks.
Use the connectionStrings configuration section and encrypt the whole section - instead of just the password.
This is safer as your app config will no longer have the server names and user names in plain text either.
There are how-to documents for encrypting configuration sections on MSDN for RSA or DPAPI.
3 Comments
One-One
Is there a way to make it work for an App.config file instead of just Web.config? Thanks for the answer though! +1
Oded
LatentDenis
"This content is outdated and is no longer being maintained." Should it still be used? @Oded
Maybe decrypt connection string from your config before application was loaded.
Comments
As an addition to the other answers, isn't it better to use the file in Source Control as a template, with just dev/test encrypted connection strings so that it works in dev/test.
For production (or other environments the app is deployed to), the encrypted credentials file is generated separately to the specified template format, managed/updated/deployed separately, has appropriate security permissions applied, never seen by anyone other than DBA/DevOps.
