转载 How to Encrypt connection string in web.config
2016-05-31 05:31
633 查看
转载原地址: https://chiragrdarji.wordpress.com/2008/08/11/how-to-encrypt-connection-string-in-webconfig/
The most sensitive information stored in web.config file can be the connection string. You do not want to disclose the information related to your database to all the users where the application is deployed. Every time it is not possible to have a private machine for your sites, you may need to deploy the site in shared host environment. To encrypt the connection string in above situation is advisable.
ASP.NET 2.0 provides in built functionality to encrypt few sections of web.config file. The task can be completed using Aspnet_regiis.exe. Below is the web.config file and <connectionStrings> section.
Fig – (1) Connection string section of web.config file
To encrypt the connection string section follow the steps,
1. Go to Start -> Programm Files -> Microsoft Visual Studio 2005 -> Visual Tools
-> Microsoft Visual Studio 2005 Command Prompt
2. Type following command,
aspnet_regiis.exe -pef “connectionStrings” C:\Projects\DemoApplication
-pef indicates that the application is built as File System website. The second argument is the name of configuration section needs to be encrypted. Third argument is the physical path where the web.config file is located.
If you are using IIS base web site the command will be,
aspnet_regiis.exe -pe “connectionStrings” -app “/DemoApplication”
-pe indicates that the application is built as IIS based site. The second argument is the name of configuration section needs to be encrypted. Third argument “-app” indicates virtual directory and last argument is the name of virtual directory where application is deployed.
If everything goes well you will receive a message “Encrypting configuration section…Succeeded!”
Open your web.config file and you can see that connection string is encrypted,
Fig – (2) Encrypted connection string section
You do not have to write any code to decrypt this connection string in your application, dotnet automatically decrypts it. So if you write following code you can see plaintext connection string.
Now to decrypt the configuration section in web.config file use following command,
For File System Application,
aspnet_regiis.exe -pdf “connectionStrings” C:\Projects\DemoApplication
For IIS based Application
aspnet_regiis.exe -pd “connectionStrings” -app “/DemoApplication”
If you want to encrypt any nested section in web.config file like <pages> element within <system.web> you need to write full section name as shown below,
aspnet_regiis.exe -pef “system.web/Pages” C:\Projects\DemoApplication
You can encrypt all the sections of web.config file except following using the method I displayed in this article,
<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
To encrypt these section you needed to use Aspnet_setreg.exe tool. For more detail about Aspnet_setreg.exe tool search Microsoft Knowledge Base article 329290, How to use the ASP.NET utility to encrypt credentials and session state connection strings.
The most sensitive information stored in web.config file can be the connection string. You do not want to disclose the information related to your database to all the users where the application is deployed. Every time it is not possible to have a private machine for your sites, you may need to deploy the site in shared host environment. To encrypt the connection string in above situation is advisable.
ASP.NET 2.0 provides in built functionality to encrypt few sections of web.config file. The task can be completed using Aspnet_regiis.exe. Below is the web.config file and <connectionStrings> section.
1: <connectionStrings> 2: <add name="cn1" 3: connectionString="Server=DB SERVER; 4: database=TestDatabase; 5: uid=UID; 6: pwd=PWD;" /> 7: </connectionStrings>
Fig – (1) Connection string section of web.config file
To encrypt the connection string section follow the steps,
1. Go to Start -> Programm Files -> Microsoft Visual Studio 2005 -> Visual Tools
-> Microsoft Visual Studio 2005 Command Prompt
2. Type following command,
aspnet_regiis.exe -pef “connectionStrings” C:\Projects\DemoApplication
-pef indicates that the application is built as File System website. The second argument is the name of configuration section needs to be encrypted. Third argument is the physical path where the web.config file is located.
If you are using IIS base web site the command will be,
aspnet_regiis.exe -pe “connectionStrings” -app “/DemoApplication”
-pe indicates that the application is built as IIS based site. The second argument is the name of configuration section needs to be encrypted. Third argument “-app” indicates virtual directory and last argument is the name of virtual directory where application is deployed.
If everything goes well you will receive a message “Encrypting configuration section…Succeeded!”
Open your web.config file and you can see that connection string is encrypted,
1: <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider"> 2: <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" 3: xmlns="http://www.w3.org/2001/04/xmlenc#"> 4: <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> 5: <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 6: <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> 7: <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> 8: <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 9: <KeyName>Rsa Key</KeyName> 10: </KeyInfo> 11: <CipherData> 12: <CipherValue>Ik+l105qm6WIIQgS9LsnF8RRxQtj2ChEwq7DbHapb440GynFEoGF6Y3EM3Iw/lyDV8+P8bIsketi5Ofy9gpZlCBir7n315Q6RPbdclUo79o/LKadhX4jHFpnSIQNIF/LhwjwkLFC0=</CipherValue> 13: </CipherData> 14: </EncryptedKey> 15: </KeyInfo> 16: <CipherData> 17: <CipherValue>JsLrQ5S8Pq3U72nQzmSl/XlLX72GM0O3EbPLaHRNvjTDgG9seDflGMjTfO10M1s7/mPh//3MhA7pr0dNHUJ143Svhu5YXODRC6z9CkR0uyE4H7uDvTKJ8eR3m9APhXoo1sT1K3tCLHD6a2BM+gqSk9d8PzCfbM8Gmzmpjz1ElIaxu62b4cg9SNxp8o86O9N3fBl2mq</CipherValue> 18: </CipherData> 19: </EncryptedData> 20: </connectionStrings>
Fig – (2) Encrypted connection string section
You do not have to write any code to decrypt this connection string in your application, dotnet automatically decrypts it. So if you write following code you can see plaintext connection string.
Response.Write(ConfigurationManager.ConnectionStrings["cn1"].ConnectionString);
Now to decrypt the configuration section in web.config file use following command,
For File System Application,
aspnet_regiis.exe -pdf “connectionStrings” C:\Projects\DemoApplication
For IIS based Application
aspnet_regiis.exe -pd “connectionStrings” -app “/DemoApplication”
If you want to encrypt any nested section in web.config file like <pages> element within <system.web> you need to write full section name as shown below,
aspnet_regiis.exe -pef “system.web/Pages” C:\Projects\DemoApplication
You can encrypt all the sections of web.config file except following using the method I displayed in this article,
<processModel>
<runtime>
<mscorlib>
<startup>
<system.runtime.remoting>
<configProtectedData>
<satelliteassemblies>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
To encrypt these section you needed to use Aspnet_setreg.exe tool. For more detail about Aspnet_setreg.exe tool search Microsoft Knowledge Base article 329290, How to use the ASP.NET utility to encrypt credentials and session state connection strings.
相关文章推荐
- Technical Artist 的不归路 —— 线性空间光照
- boost库的安装,使用,介绍,库分类
- boost库的安装,使用,介绍,库分类
- oracle游标——(一)
- 软件开发与设计知识
- leetcode #68 in cpp
- Java线程安全问题,方法及内存模型
- 冲刺第二阶段第七天
- leecode_210 Course Schedule II
- [leetcode] 350. Intersection of Two Arrays II
- JSP系列:(7)JSP进阶-EL
- JSP系列:(7)JSP进阶-EL
- bootstrapvalidator之API学习
- Volley框架简介
- 日记(2016/5/31)
- AndroidStudio集成极光推送SDK
- Hibernate的原理和作用
- php原本是浅克隆
- html,XPath 学习笔记
- Struts2原理与工作流程简述