[Tutorial] Encrypt Connection String in Web.Config

hacks · 05-23-2008, 06:08 AM

This article is to give an idea how we can achieve security in web.config file, its a basic practice to store our Database connection string in web.config file. This avoids hard coding and you can always change as and when required but the problem is anybody who has access to solution can see the user name and passwords of the database and can be changed. To avoid this kind of problem Microsoft provides a tool called aspnet_setreg.exe this will help us to encrypt connection string or any other information you want to be secured.

Aspnet_setreg.exe is tool which will create an encrypted registry entry for your values; you can encrypt any of the web.config key values using this tool.

How to do? For example your database connection string is DSN=test;uid=test;pwd=test; like this then you web.config entry would be.

Code:

   1. </p>  
   2. <p><configuration><br />  
   3. <appSettings><br />  
   4. <add key=” DSN=test;uid=test;pwd=test” /><br />  
   5. </aapSetting><br />  
   6. </configuration></p>  
   7. <p>

But in above entry you can always see the user name and password of the database.

Now we will see how to use aspnet_setreg.exe.

First of all you need to create a registry entry using aspnet_setreg.exe

Example to create:

aspnet_setreg.exe -k:SOFTWARE\Your_Service\SessionState -c:sqlConnectionString=”DSN=test;uid=test;pwd=test; ”

After executing the above command, you can see a registry entry under LOCAL_MAHCINE\SOFTWARE\Your_Service\SessionState

Now the entry in web.config should be like following
<appSettings>
<add key=”sqlConnectionString”
value=”registry:HKLM\SOFTWARE\Your_Service\Session State\ASPNET_SETREG,sqlConnectionString” />

Getting back the Connection String

Now we will see how to get the back the connection string in our project, now we are aware that our connection string encrypted and stored in the registry so to use the data retrieved from registry should be decrypted for that we need a third party free DLL called NCrypto, the source of this DLL you can download from the following location

Code:

http://sourceforge.net/projects/ncrypto/

this DLL provides the function using which you can decrypt your data.

Sample code

Code:

<br />
using NCrypto.Security.Cryptography;<br />
private string DecryptString()<br />
{<br />
string pConnectionString = ConfigurationSettings.AppSettings _<br />
["sqlConnectionString"]<br />
string sSqlConnectionString = null;<br />
try<br />
{</p>
<p>char[] cSeparators = {’:', ‘,’};<br />
byte[] registryBytes;<br />
//Split the value using : character<br />
string[] regKeyPath = pConnectionString.Split(cSeparators[0]);<br />
//Get the Registry Key path<br />
regKeyPath = regKeyPath[1].Split(cSeparators[1]);<br />
RegistryKey regkeyHive = Registry.LocalMachine;<br />
RegistryKey regKey = regkeyHive.OpenSubKey(regKeyPath[0].Replace(”HKLM\\”, “”));<br />
//get the encrypted value<br />
registryBytes = (byte[])regKey.GetValue(regKeyPath[1]);<br />
//Decrypt the value into Connection String<br />
sSqlConnectionString = Encoding.Unicode.GetString( _<br />
ProtectedData.Unprotect(registryBytes));<br />
sSqlConnectionString = sSqlConnectionString.Replace( _<br />
regKeyPath[1] + “=”, “”);<br />
}<br />
catch(Exception e)<br />
{</p>
<p>}<br />
return sSqlConnectionString;<br />
}<br />

knw · Today, 07:17 PM

hey is it really wrkin then i shld try it out in vs 2005