Encrypt ConnectionStrings in Web.Config File
papayao said 1 year ago:
How to encrypt the connectionstrings of my web.config file when upload it the server? The user and password database are there, so, is dangerous without encrypt O_o. Help please. Windows Host, Microsoft Sql Database.
papayao said 1 year ago:
and the website Asp.Net 4 (Framework 4)
bryceh said 1 year ago:
As Windows shared hosting accounts do not provide you with command line access, you won’t be able to encrypt your web.config file using traditional methods. Your best bet would be to place the connection string info into a separate config file. Check out the link below for more information on how to do that:
Hope this helps!
deepu said 11 months ago:
How does it help to move the connectionstring to another config file. Ultimately we wont’ be able to encrypt the connectionstring though lying in separate file. This is really critical, as without encrypting the connectionstring it will be plaintext.
timb said 11 months ago:
Using the link provided by Bryce, you can use an external configuration file to contain a fragment of a configuration file. The external configuration file is then referenced by the main configuration file.
Toiyabe said 10 months, 2 weeks ago:
I believe the external configuration file does not solve the problem, as that file would then need to be encrypted. To do that, you would have to use the same encryption methods one would use on the main web.config.
Because GoDaddy shared hosting is a web farm, you’d have to use the RsaProtectedConfigurationProvider.
This, however, requires exporting of keys from one server and importing into another…according to the article referenced above, “export the encryption keys used to encrypt the data and import them on another server.”
You and I and the average user do not have machine level access to GoDaddy web farm(s).
From Go Daddy’s perspective, I’ve read that so long as your FTP username and password remain secure, there is no way any .config file will be passed to The Internet from IIS.
Problem with this leap of faith is the assumption that none of our computers will encounter malware that will steal user names and passwords.
So encrypting .config files for the present at Go Daddy seems an elusive goal.
The only way I can see one could offer a little protection is to bury the connection string deep inside obfuscated code-and then set the connection strings at run-time in code behind.