Encrypt And Decrypt ConnectionString In Web.Config File
In this article we are going to see how we can encrypt and secure our connection string in our web config file. As you all know the connection string is the pillar of our data. I mean, without a connection string you just can’t create an application which does some database actions like retrieving the data, creating the data. We all know that the connection string is placed in the file called web config, so others too. If anyone needs to get the database information of your application, the first place he/she may look at will be the web config file. Am I right? It is always recommend to encrypt the connection string of your application because the data we have there is highly sensitive. It must be secured. Here I am going to show you a demo of how we can do that, You can do the same thing in your Web API project, MVC project, Asp.Net 5 project, or any kind of templates you works with. I hope you will like this.
Background
I used to secure my config file if I am the who starts the project. Here you will get to know how easy the procedure is to encrypt the connection string. There is only a few steps to be followed. I will explain those.
Agenda
The following is the agenda we are going to follow.
Perquisites
Create an empty project
To create an empty project, go to File->New->New Project->Name the project->Select Empty->Click OK. Hope you get a solution as follows.
Now We will connect to a database. To connect, please click on the connect icon in your server explorer window and connect you Local/Server database.
Add a connection string
Now it is time to add our connection string, hope you got your data source of the database we already connected. The connection string property must be placed under configuration tag in your web config file. Here is mine.
[xml]
<connectionStrings>
<add name="myConnection" connectionString="Data Source=SIBEESHVENU\SQLEXPRESS;Initial Catalog=ReportServer$SQLEXPRESS;Integrated Security=True" />
</connectionStrings>
[/xml]
Now we will create a web page and in the page load event we will fetch this connection string and write it as a response.
[csharp]
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace EncryptConnectionString
{
public partial class Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
try
{
string myCon = System.Configuration.ConfigurationManager.ConnectionStrings["myConnection"].ConnectionString;
if (myCon != null)
{
Response.Write("My connection string is :" + myCon);
}
}
catch (Exception)
{
throw;
}
}
}
}
}
[/csharp]
Please run your page, you will see your connection string in your page.
Encrypt connection string
To start the process, you must open your command window with the admin privilege. Then type the following command.
[csharp]
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
[/csharp]
This command will narrate you to the framework version folder given. Now right click on your project and click open folder in file explorer and then copy the location. For me it is F:\Visual Studio\EncryptConnectionString\EncryptConnectionString. Now please go back to your command prompt and type the command as follows.
[csharp]
ASPNET_REGIIS -PEF "connectionStrings" "F:\Visual Studio\EncryptConnectionString\EncryptConnectionString"
[/csharp]
Once you click the enter. You will get the output as follows.
Please be noted that the text connectionStrings is case sensitive. If you don’t give it as it is, you will get an error as follows.
[csharp]
C:\Windows\Microsoft.NET\Framework\v4.0.30319>ASPNET_REGIIS -PEF "connectionstrings" "F:\Visual Studio\EncryptConnectionString\EncryptConnectionString"
Microsoft (R) ASP.NET RegIIS version 4.0.30319.0
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Encrypting configuration section…
The configuration section ‘connectionstrings’ was not found.
Failed!
[/csharp]
So please be careful while you type the commands. Now I am going back to our application and see the config file. Shall we? You can see the connection string is encrypted as follows.
[xml]
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>B4B3oZrbpQsYM7Eaq5smukqDj9XUYUCwygBYRG1iasN4ll5W4wAKVCIFCRfvOJGoIXzgqpyjAI30IKf5pnZ/xWqmo3p/wGfOKdMrzd041dt9llLGbxFpLJs0Nkm583PJ1FppXLAy7FOD0YoBVhG/PBtBgLjTQqcXRNbVcgufzuArlv/EH+7lzSNRclXSTMOPMtISF65hPI9ICj9qLx7RBGhVZ6uFZVFteyyuRd2i3D2r7wJfr6KflFkakdxp1OWE2JK4Ldb8kZSwAy3bNaI/qaV9EgIWt9wM6RZO/IrI3kI/bX8JuvirPw3j/+TLDB3MoIgKjSbLpR3GYTm9csPu8g==</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>0n1Y6ScSNZDR4x1sXfK05w9h+pp2OrAEQFQsoAUP5Y/hPsfpJS/7jv21PbPlkYmdCzycM4PGGb0+fuffR3RuL1x0tn7rfyUdA9llTfkyRQKwS9xOmkMsVFXgQDr8P4aXGef1fZPE2gjhcjm/JQToLwsfQZK1gNr4d6cIPFNqKD6wt24F7fuySJPX3OgLb8wXfQMd7ij+JcZzNlnyNHbq/DIjxSpPOnMrC52t06Jj8F8+MsSud9GcijcFB2UhvLVXQwyZ51nEj6Tf36Zbca8bgw==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
[/xml]
Decrypt connection string
You can always decrypt the connection string if you want, to decrypt you just need follows the commands as follows in the command prompt.
[csharp]
cd C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319
[/csharp]
Once after you did you the above command you can execute the preceding one.
[csharp]
ASPNET_REGIIS -PDF "connectionStrings" "F:\Visual Studio\EncryptConnectionString\EncryptConnectionString"
[/csharp]
The text ‘connectionString’ is case sensitive as mentioned above
If the command is correct, you can get an output as follows.
Now if you check your Web config again, you can see the connection string has got encrypted. Have a happy coding!.
Conclusion
Did I miss anything that you may think which is needed? Could you find this post as useful? I hope you liked this article. Please share me your valuable suggestions and feedback.
Your turn. What do you think?
A blog isn’t a blog without comments, but do try to stay on topic. If you have a question unrelated to this post, you’re better off posting it on C# Corner, Code Project, Stack Overflow, Asp.Net Forum instead of commenting here. Tweet or email me a link to your question there and I’ll definitely try to help if I can.
Kindest Regards
Sibeesh Venu