Encrypt or Decrypt connection string in .Net

Connectionstring contains highly confidential information which we should secure carefully to prevent any kind of misuse., To secure this confidential information we don't need to write any addition code as we can do with ease in .Net. Below are the steps to encrypt and decrypt connection string.


Let assume you have a connection string as follows either in web.config or app.config.


Now go to below path to access aspnet_regiis.exe
"%WinDir%\Microsoft.NET\Framework\<versionNumber>"

And run below command

aspnet_regiis -pe "connectionStrings" -app "/MyApplication"

The above command with -app switch assumes that there is an IIS virtual directory called MyApplication. If you are using the Visual Studio .NET 2005 Web server instead of IIS, use the -pef switch, which allows you to specify the physical directory location of your configuration file.

aspnet_regiis.exe -pef "connectionStrings" C:\Projects\MyApplication

Note: As above command only looks for web.config, change your app.config name to web.config if you are using windows or console application. Don't worry you will change your config name back to app.config once this process is done.

If everything is fine then you will see below message in command prompt.




And your app.config or web.config will be like below.












You can use below code to retrieve conntionstring, as ConfigurationManager will take care of decrypting the password.

string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["testConn"].ConnectionString;


That’s all to maintain secure connection string in web.config or app.config.

Note   If your ASP.NET application identity does not have access to the .NET Framework configuration key store, the following message is returned:

Parser Error Message: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'.
 Error message from the provider: The handle is invalid.
 
To grant access to the ASP.NET application identity
  1. If you are not sure which identity to use, check the identity from a Web page by using the following code:
    using System.Security.Principal;
    ...
    protected void Page_Load(object sender, EventArgs e)
    {
      Response.Write(WindowsIdentity.GetCurrent().Name);
    }
     
  2. By default, ASP.NET applications on Windows Server 2003 run using the NT Authority\Network Service account. Open a .NET command prompt, and use the following command to give this account access to the NetFrameworkConfigurationKey store:
    aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT Authority\Network Service"
    If
     the command runs successfully you will see the following output:
    Adding ACL for access to the RSA Key container...
    Succeeded!
     
    You can check the ACL of the file in the following folder:
    \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
    Your 
    RSA key container file is the file in this folder with the most recent timestamp.



To change the connectionStrings section back to clear text, run the following command from the command prompt:
aspnet_regiis -pd "connectionStrings" -app "/MyApplication"
If the command is successful, you will see the following output:





To decrypt the connectionStrings section that specifies a physical path to your application's configuration file, use the -pdf switch as shown here.
aspnet_regiis -pdf "connectionStrings" C:\Projects\MyApplication

No comments:

Post a Comment

Featured Post

Improving MS CRM Performance

Performance on MS CRM is always a crucial thing and we may follow different ways to achieve the performance thing. Below is the one more a...