Mar 22, 2007

Encrypt/Decrypt connection strings in web.config

const string PROVIDER = "DataProtectionConfigurationProvider";
const string PROVIDER = "RSAProtectedConfigurationProvider";

Configuration ObjConfiguration =

WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

ConnectionStringsSection cnStrSettings = ObjConfiguration.ConnectionStrings;

//Encrypt the Connection Strings Section
cnStrSettings.SectionInformation.ProtectSection(PROVIDER);

//Decrypt the Connection Strings Section

if (cnStrSettings.SectionInformation.IsProtected)
{
cnStrSettings.SectionInformation.UnprotectSection();
}
ObjConfiguration.Save();

kick it on DotNetKicks.com

2 comments:

Ravi said...

Hi All,

Thanks for your reply and advice.

My problem is that if someone can log into the server via
an FTP program (I use WS_FTP), then the web.config is
easily viewable with no restrictions.

The encryption schemes you mentioned are to deny people
access via a web browser? I will look into hashed
passwords, but if someone gets into my site via an FTP
program, does this encryption do anything?

Thanks!

tillu said...

Even if someone can get your web.config via FTP, still you are safe since the passwords are encrypted hence cannot be decrypted anywhere else... so no one can steal passwords even if they get the web.config via FTP.