Wrox Programmer Forums
|
ASP.NET 2.0 Professional If you are an experienced ASP.NET programmer, this is the forum for your 2.0 questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Professional section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old August 28th, 2008, 07:21 AM
Registered User
  
Join Date: Aug 2004
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Yahoo to vikingsunil
Default Encrypting config
Hi,
I have been looking around for some help on this topic as my .Net application used to connect to a DB for which the password was being supplied in plain text in the config file under the connectionStrings section of my application configuration file.
I was looking for a mechanism to get my password encrypted which I would store on the app.config file which will then be read and decrypted by my application.
On googling I found an option that was much better then this. With this option I could still save my settings in the plain text in the app.config file and this gets encrypted on the first run of the application(provided you write the encryption code at the right place- typically in the OnStart event handler of the application).
I wrote the following function and called it from within the OnStart event handler of my app with the config section name as a parameter("connectionStrings" in my case):
private void ProtectConfigSection(String sectionName)
{
   Configuration config = ConfigurationManager.OpenExeConfiguration(Configur ationUserLevel.None);
   ConfigurationSection section = config.GetSection(sectionName);
   if (section != null)
   {
    if (!section.SectionInformation.IsProtected)
    {
     if (!section.ElementInformation.IsLocked)
     {
       section.SectionInformation.ProtectSection("DataPro tectionConfigurationProvider");
       section.SectionInformation.ForceSave = true;
       config.Save(ConfigurationSaveMode.Full);
     }
    }
   }
 }

This mechanism is based on protecting/Encrypting a particular section of the config file.
I found this approach useful as it protects my "connectionString" section by encrypting it on the first run. The best part is that I need not write any additional code for decrypting/unprotecting the config section. My app was able to read the encrypted section the same way as earlier(i.e. by using ConfigurationManager.AppSettings["Keyname"])

Hope this will be of some use. Please let me know if someone has any better approach then this.
 
Old August 28th, 2008, 10:53 PM
planoie's Avatar
Friend of Wrox
  
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default
Perhaps a silly question but...

Why the concern for security on a configuration file that is only readable on a web server? By default, IIS will not serve a .config file and presumably if you can get onto the web server itself to read the "physical" file, then you have a larger security concern.

-Peter
compiledthoughts.com





Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypting Web.Config wirerider ASP.NET 2.0 Professional 1 March 4th, 2007 11:15 PM
Encrypting numbers - newbie rosmucNet ASP.NET 2.0 Basics 0 April 19th, 2006 06:33 AM
Encrypting Data harpua Pro PHP 3 June 4th, 2005 01:15 AM
Encrypting and Decrypting chipset VB How-To 0 July 27th, 2004 07:36 AM
querystring encrypting invitro Classic ASP Professional 1 April 5th, 2004 10:45 AM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.