Imar or anyone else. The password in the web.config is plain text. I have endeavored to encrypt it. If others want to try, go here as a starting point:

http://www.asp.net/data-access/tutor...information-cs

*****
GOAL: encrypt the <system.net> section in the web.config file

WHAT I DID: I used the code from above link to encrypt. I can encrypt web.config VWD and it works fine. But ...

Q1: are encryptions machine specific? meaning that I cannot encrypt web.config via VWD, then deploy it to the godaddy web server and expect it to decrypt, correct? because the web server uses a different key, correct?

WHAT I DID: So I set my code in Application_Start in Global.asax.cs to encrypt it during runtime. Because, once it's encryted on the web server, the web server can decrypt as needed since it has the proper key, correct? But I get error messages when I run it on the web server

Q2: the godaddy rep stated that I am not allowed to change files in my root directory (www.mysite.com) which is where my web.config file is located. He stated that this is a Windows issue, but it would work fine if I had my site on the Linux server. Is this correct?

I'm sure that others have successfully done this, since no one wants to leave the password in open view in web.config. Can someone clarify the accuracy of my assumptions above and point me in the correct "architecture" to resolve my encryption endeavor?

THANK YOU.

Hi there,

1) Yes, they are. If your host is willing to cooperate they can export the key for you: http://www.iislogs.com/articles/encryptedconnstring/

However, if your host can decrypt it they can still access it, leaving much of the door open.

2) That doesn't make sense. You should be able to write to the site's root folder from within the ASP.NET app.

Cheers,

Imar

__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!

Imar, thanks for the quick reply. Some general questions follow just for clarity.

"However, if your host can decrypt it they can still access it, leaving much of the door open."

Q1: is it easy for someone to get my web.config file from the web server (e.g., hosted on godaddy.com)?

Q2: if answer to Q1 is "Yes", is it generally a good idea to encrypt parts of the web.config file? note: we also store database passwords in the connectStrings section

Q3: if answer to Q2 is "Yes", then are we in a situation where, yes, the host service has the key to decrypt, but at least 1) our passwords in the web.config file are encrypted 2) no one else can easily see it 3) we are trusting our hosting service not to abuse their "ability" ?

Q1: easy: no. ASP.NET is set up to block access to that file by default. For example, you can't get this file: http://imar.spaanjaars.com/web.config Possible: yes.

The thread comes from access to the local machine, or other ways to access the file. With access to the local machine, you may already be screwed anyway depending on the access level of the intruder. However, people may also get access to the file by either hacking your FTP server or guessing your FTP or "Plesk" account or whatever you use, or other means to bypass standard Windows security settings (steal the backup for example). In those cases, having encrypted files might mitigate the issue as the attacker won't be able to reuse the info as-is, nor decrypt it easily.

Q2: yes, but it's not easy with shared hosting services

Q3: Correct.

Cheers,

Imar

__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!