Mar 22, 2007

Encrypt/Decrypt connection strings in web.config

const string PROVIDER = "DataProtectionConfigurationProvider";
const string PROVIDER = "RSAProtectedConfigurationProvider";

Configuration ObjConfiguration =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

ConnectionStringsSection cnStrSettings = ObjConfiguration.ConnectionStrings;

 //Encrypt the Connection Strings Section
cnStrSettings.SectionInformation.ProtectSection(PROVIDER);

//Decrypt the Connection Strings Section
if (cnStrSettings.SectionInformation.IsProtected)
{
cnStrSettings.SectionInformation.UnprotectSection();
}
ObjConfiguration.Save();

kick it on DotNetKicks.com

Posted by Rohit Gupta at 10:51 AM
Labels:

2 comments:

Ravi said...

Hi All,

Thanks for your reply and advice.

My problem is that if someone can log into the server via
an FTP program (I use WS_FTP), then the web.config is
easily viewable with no restrictions.

The encryption schemes you mentioned are to deny people
access via a web browser? I will look into hashed
passwords, but if someone gets into my site via an FTP
program, does this encryption do anything?

Thanks!

March 24, 2008 at 7:53 AM
Anonymous said...

Even if someone can get your web.config via FTP, still you are safe since the passwords are encrypted hence cannot be decrypted anywhere else... so no one can steal passwords even if they get the web.config via FTP.

October 13, 2008 at 6:19 PM

Post a Comment

Subscribe to: Post Comments (Atom)