Help Encrypting Connection String

Discussion in 'ASP .Net Security' started by FlyFishGuy, Jan 6, 2006.

  1. FlyFishGuy

    FlyFishGuy Guest

    I am trying to perform the most basic encryption of my connection string in
    web.config and I am totally lost. Before someone flames me for not
    researching before posting, let me tell you that I have read literally
    dozens of explanations and blogs on this and I am more confused than ever.

    Every article I have read starts out with stating what a breeze this is to
    do, but by the time I get to the 3rd paragraph, either my head is spinning
    with encryption technicalities or they assume that I can run aspnet_regiis
    on the server. I don't host my web server, like many people, and I find this
    assumption obnoxious. To make matters worse, virtually every article I've
    read has a different methodology to perform the encryption. I understand
    that there are many ways to skin the same cat in .NET, but I'm looking for
    simple, if it exists. I never used the 2005 beta, and I'm guessing that many
    of these articles are referring to functionality that has subsequently
    changed.

    I'm not trying to hide anything from the NSA. I simply wish to prevent some
    scumbag from trashing my site.
    If I have to spend 40 hours becoming an encryption guru before I can do
    this, then that's fine. I just wish that someone would be up front about
    this and stop stating what a snap it is. If it really is a snap could
    someone please provide me a link to some code that is current, accurate, and
    unassuming. VB is my language, but I'll certainly settle for some C# code.

    Thanks
    FlyFishGuy, Jan 6, 2006
    #1
    1. Advertising

  2. The biggest decision for you here is how you want to store the encryption
    key. If you are ok with keeping the key in plain text in your web.config
    file or just hard-coding it in your code, then this is pretty easy. That
    won't ward off determined hackers, but it should prevent casual snooping.

    For samples of simple symmetric encryption going back and forth between
    strings (which is probably what you want), I like Ivan's sample on
    www.dotnetthis.com. It is C#, but easy to adapt/convert.

    I also like the crypto capabilities in Enterprise Library for doing this
    stuff as it makes it very simple to use and has nice config support for
    storing the key and a nice GUI for configuring all of it.

    Joe K.

    "FlyFishGuy" <> wrote in message
    news:...
    >I am trying to perform the most basic encryption of my connection string in
    >web.config and I am totally lost. Before someone flames me for not
    >researching before posting, let me tell you that I have read literally
    >dozens of explanations and blogs on this and I am more confused than ever.
    >
    > Every article I have read starts out with stating what a breeze this is to
    > do, but by the time I get to the 3rd paragraph, either my head is spinning
    > with encryption technicalities or they assume that I can run aspnet_regiis
    > on the server. I don't host my web server, like many people, and I find
    > this assumption obnoxious. To make matters worse, virtually every article
    > I've read has a different methodology to perform the encryption. I
    > understand that there are many ways to skin the same cat in .NET, but I'm
    > looking for simple, if it exists. I never used the 2005 beta, and I'm
    > guessing that many of these articles are referring to functionality that
    > has subsequently changed.
    >
    > I'm not trying to hide anything from the NSA. I simply wish to prevent
    > some scumbag from trashing my site.
    > If I have to spend 40 hours becoming an encryption guru before I can do
    > this, then that's fine. I just wish that someone would be up front about
    > this and stop stating what a snap it is. If it really is a snap could
    > someone please provide me a link to some code that is current, accurate,
    > and unassuming. VB is my language, but I'll certainly settle for some C#
    > code.
    >
    > Thanks
    >
    Joe Kaplan \(MVP - ADSI\), Jan 6, 2006
    #2
    1. Advertising

  3. FlyFishGuy

    FlyFishGuy Guest

    I'm certainly OK with starting basic and becoming more aggressive as my
    level of understanding increases. I think I like hardcoding the key as
    opposed to putting it directly in web.config. I don't like to hardcode
    anything, in general, but I'd rather do that with an encryption key than the
    underlying data itself.

    Ivan's code is pretty straightforward, but I've had this vision (based on
    some of the articles I've seen) that I could simply encrypt the section in
    web.config and the framework would decrypt on-the-fly. Perhaps this is only
    when using the aspnet_regiis method or perhaps I'm just confused.

    Regarding the Enterprise Library, I've not heard of it before and I'm all
    about high level classes and nice GUI's. I keep discovering neat tools
    scattered about the place. It looks like 2.0 is not out yet, but v1.1 is
    supposed to be compatible. I don't have much of a code investment in 1.1 but
    I understand that many best practices have changed. Should I just wait for
    2.0 before diving in?

    Thanks Joe


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%...
    > The biggest decision for you here is how you want to store the encryption
    > key. If you are ok with keeping the key in plain text in your web.config
    > file or just hard-coding it in your code, then this is pretty easy. That
    > won't ward off determined hackers, but it should prevent casual snooping.
    >
    > For samples of simple symmetric encryption going back and forth between
    > strings (which is probably what you want), I like Ivan's sample on
    > www.dotnetthis.com. It is C#, but easy to adapt/convert.
    >
    > I also like the crypto capabilities in Enterprise Library for doing this
    > stuff as it makes it very simple to use and has nice config support for
    > storing the key and a nice GUI for configuring all of it.
    >
    > Joe K.
    >
    > "FlyFishGuy" <> wrote in message
    > news:...
    >>I am trying to perform the most basic encryption of my connection string
    >>in web.config and I am totally lost. Before someone flames me for not
    >>researching before posting, let me tell you that I have read literally
    >>dozens of explanations and blogs on this and I am more confused than ever.
    >>
    >> Every article I have read starts out with stating what a breeze this is
    >> to do, but by the time I get to the 3rd paragraph, either my head is
    >> spinning with encryption technicalities or they assume that I can run
    >> aspnet_regiis on the server. I don't host my web server, like many
    >> people, and I find this assumption obnoxious. To make matters worse,
    >> virtually every article I've read has a different methodology to perform
    >> the encryption. I understand that there are many ways to skin the same
    >> cat in .NET, but I'm looking for simple, if it exists. I never used the
    >> 2005 beta, and I'm guessing that many of these articles are referring to
    >> functionality that has subsequently changed.
    >>
    >> I'm not trying to hide anything from the NSA. I simply wish to prevent
    >> some scumbag from trashing my site.
    >> If I have to spend 40 hours becoming an encryption guru before I can do
    >> this, then that's fine. I just wish that someone would be up front about
    >> this and stop stating what a snap it is. If it really is a snap could
    >> someone please provide me a link to some code that is current, accurate,
    >> and unassuming. VB is my language, but I'll certainly settle for some C#
    >> code.
    >>
    >> Thanks
    >>

    >
    >
    FlyFishGuy, Jan 6, 2006
    #3
  4. Enterprise Library (either the June 2005 release for .NET 1.1 or the
    upcoming 2.0 release for .NET 2.0) can "magically" encrypt parts of your
    configuration file. You can also use the Ent Lib cryptography block to
    encrypt and decrypt arbitrary strings, so that will certainly work for what
    you want to do.

    Ent Lib also has a notion of a data access block that allows you to
    configure connection strings with a graphical tool and encrypt the whole
    section on the fly if you want. You can programmatically retrieve
    connection strings defined in the configuration if you want. Essentially,
    it offers are variety of ways to solve your problem easily.

    With .NET 1.1, you need the aspnet_regiis thing to encrypt parts of the
    config file, but .NET 2.0 has more options. I'm not really up on them yet
    though so I can't comment on how all of that new stuff works yet.

    Joe K.

    "FlyFishGuy" <> wrote in message
    news:...
    > I'm certainly OK with starting basic and becoming more aggressive as my
    > level of understanding increases. I think I like hardcoding the key as
    > opposed to putting it directly in web.config. I don't like to hardcode
    > anything, in general, but I'd rather do that with an encryption key than
    > the underlying data itself.
    >
    > Ivan's code is pretty straightforward, but I've had this vision (based on
    > some of the articles I've seen) that I could simply encrypt the section in
    > web.config and the framework would decrypt on-the-fly. Perhaps this is
    > only when using the aspnet_regiis method or perhaps I'm just confused.
    >
    > Regarding the Enterprise Library, I've not heard of it before and I'm all
    > about high level classes and nice GUI's. I keep discovering neat tools
    > scattered about the place. It looks like 2.0 is not out yet, but v1.1 is
    > supposed to be compatible. I don't have much of a code investment in 1.1
    > but I understand that many best practices have changed. Should I just wait
    > for 2.0 before diving in?
    >
    > Thanks Joe
    >
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:%...
    >> The biggest decision for you here is how you want to store the encryption
    >> key. If you are ok with keeping the key in plain text in your web.config
    >> file or just hard-coding it in your code, then this is pretty easy. That
    >> won't ward off determined hackers, but it should prevent casual snooping.
    >>
    >> For samples of simple symmetric encryption going back and forth between
    >> strings (which is probably what you want), I like Ivan's sample on
    >> www.dotnetthis.com. It is C#, but easy to adapt/convert.
    >>
    >> I also like the crypto capabilities in Enterprise Library for doing this
    >> stuff as it makes it very simple to use and has nice config support for
    >> storing the key and a nice GUI for configuring all of it.
    >>
    >> Joe K.
    >>
    >> "FlyFishGuy" <> wrote in message
    >> news:...
    >>>I am trying to perform the most basic encryption of my connection string
    >>>in web.config and I am totally lost. Before someone flames me for not
    >>>researching before posting, let me tell you that I have read literally
    >>>dozens of explanations and blogs on this and I am more confused than
    >>>ever.
    >>>
    >>> Every article I have read starts out with stating what a breeze this is
    >>> to do, but by the time I get to the 3rd paragraph, either my head is
    >>> spinning with encryption technicalities or they assume that I can run
    >>> aspnet_regiis on the server. I don't host my web server, like many
    >>> people, and I find this assumption obnoxious. To make matters worse,
    >>> virtually every article I've read has a different methodology to perform
    >>> the encryption. I understand that there are many ways to skin the same
    >>> cat in .NET, but I'm looking for simple, if it exists. I never used the
    >>> 2005 beta, and I'm guessing that many of these articles are referring to
    >>> functionality that has subsequently changed.
    >>>
    >>> I'm not trying to hide anything from the NSA. I simply wish to prevent
    >>> some scumbag from trashing my site.
    >>> If I have to spend 40 hours becoming an encryption guru before I can do
    >>> this, then that's fine. I just wish that someone would be up front about
    >>> this and stop stating what a snap it is. If it really is a snap could
    >>> someone please provide me a link to some code that is current, accurate,
    >>> and unassuming. VB is my language, but I'll certainly settle for some C#
    >>> code.
    >>>
    >>> Thanks
    >>>

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Jan 7, 2006
    #4
  5. hi,

    the "best" way is to use DPAPI - because you don't have to do your own key
    management. There are a lot of wrappers out there, e.g.

    http://www.leastprivilege.com/DPAPITools.aspx

    the tool you are referring to is called aspnet_setreg - it uses DPAPI to
    encrypt the section and places it into web.config - the config file then
    refers to the reg key.

    in 2.0 you can encrypt nearly all config section out of the box using the
    ProtectedConfiguration provider - there you have the choice of using DPAPI
    or RSA keys.
    There are some section that you can't encrypt (basically a chicken/egg problem
    or section that have to be read before managed code is run) - there again
    you have to use aspnet_setreg.

    My recommendation : use DPAPI (either the wrapped API in 1.1 or protectedconfig
    in 2.0).

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Enterprise Library (either the June 2005 release for .NET 1.1 or the
    > upcoming 2.0 release for .NET 2.0) can "magically" encrypt parts of
    > your configuration file. You can also use the Ent Lib cryptography
    > block to encrypt and decrypt arbitrary strings, so that will certainly
    > work for what you want to do.
    >
    > Ent Lib also has a notion of a data access block that allows you to
    > configure connection strings with a graphical tool and encrypt the
    > whole section on the fly if you want. You can programmatically
    > retrieve connection strings defined in the configuration if you want.
    > Essentially, it offers are variety of ways to solve your problem
    > easily.
    >
    > With .NET 1.1, you need the aspnet_regiis thing to encrypt parts of
    > the config file, but .NET 2.0 has more options. I'm not really up on
    > them yet though so I can't comment on how all of that new stuff works
    > yet.
    >
    > Joe K.
    >
    > "FlyFishGuy" <> wrote in message
    > news:...
    >
    >> I'm certainly OK with starting basic and becoming more aggressive as
    >> my level of understanding increases. I think I like hardcoding the
    >> key as opposed to putting it directly in web.config. I don't like to
    >> hardcode anything, in general, but I'd rather do that with an
    >> encryption key than the underlying data itself.
    >>
    >> Ivan's code is pretty straightforward, but I've had this vision
    >> (based on some of the articles I've seen) that I could simply encrypt
    >> the section in web.config and the framework would decrypt on-the-fly.
    >> Perhaps this is only when using the aspnet_regiis method or perhaps
    >> I'm just confused.
    >>
    >> Regarding the Enterprise Library, I've not heard of it before and I'm
    >> all about high level classes and nice GUI's. I keep discovering neat
    >> tools scattered about the place. It looks like 2.0 is not out yet,
    >> but v1.1 is supposed to be compatible. I don't have much of a code
    >> investment in 1.1 but I understand that many best practices have
    >> changed. Should I just wait for 2.0 before diving in?
    >>
    >> Thanks Joe
    >>
    >> "Joe Kaplan (MVP - ADSI)" <>
    >> wrote in message news:%...
    >>
    >>> The biggest decision for you here is how you want to store the
    >>> encryption key. If you are ok with keeping the key in plain text in
    >>> your web.config file or just hard-coding it in your code, then this
    >>> is pretty easy. That won't ward off determined hackers, but it
    >>> should prevent casual snooping.
    >>>
    >>> For samples of simple symmetric encryption going back and forth
    >>> between strings (which is probably what you want), I like Ivan's
    >>> sample on www.dotnetthis.com. It is C#, but easy to adapt/convert.
    >>>
    >>> I also like the crypto capabilities in Enterprise Library for doing
    >>> this stuff as it makes it very simple to use and has nice config
    >>> support for storing the key and a nice GUI for configuring all of
    >>> it.
    >>>
    >>> Joe K.
    >>>
    >>> "FlyFishGuy" <> wrote in message
    >>> news:...
    >>>
    >>>> I am trying to perform the most basic encryption of my connection
    >>>> string in web.config and I am totally lost. Before someone flames
    >>>> me for not researching before posting, let me tell you that I have
    >>>> read literally dozens of explanations and blogs on this and I am
    >>>> more confused than ever.
    >>>>
    >>>> Every article I have read starts out with stating what a breeze
    >>>> this is to do, but by the time I get to the 3rd paragraph, either
    >>>> my head is spinning with encryption technicalities or they assume
    >>>> that I can run aspnet_regiis on the server. I don't host my web
    >>>> server, like many people, and I find this assumption obnoxious. To
    >>>> make matters worse, virtually every article I've read has a
    >>>> different methodology to perform the encryption. I understand that
    >>>> there are many ways to skin the same cat in .NET, but I'm looking
    >>>> for simple, if it exists. I never used the 2005 beta, and I'm
    >>>> guessing that many of these articles are referring to functionality
    >>>> that has subsequently changed.
    >>>>
    >>>> I'm not trying to hide anything from the NSA. I simply wish to
    >>>> prevent
    >>>> some scumbag from trashing my site.
    >>>> If I have to spend 40 hours becoming an encryption guru before I
    >>>> can do
    >>>> this, then that's fine. I just wish that someone would be up front
    >>>> about
    >>>> this and stop stating what a snap it is. If it really is a snap
    >>>> could
    >>>> someone please provide me a link to some code that is current,
    >>>> accurate,
    >>>> and unassuming. VB is my language, but I'll certainly settle for
    >>>> some C#
    >>>> code.
    >>>> Thanks
    >>>>
    Dominick Baier [DevelopMentor], Jan 7, 2006
    #5
  6. FlyFishGuy

    FlyFishGuy Guest

    My main concern is the decryption side of the equation. I'm using ASP
    membership and profiling, but I have to do it on SQL Server instead of SQL
    Express because my Web Host does not support Express. Currently, I have
    simply 'overridden' the LocalSqlServer connection string to point to my SQL
    Server DB.

    Will either of the suggested encryption models support me being able to
    proceed this way? If I'm retrieving the connection string in my own code, I
    don't see any issues, but since ASP is utilizing the same connection string
    under the hood for membership etc, will I be able to get ASP to decrypt the
    connection string for it's own use?

    Thanks

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > hi,
    > the "best" way is to use DPAPI - because you don't have to do your own key
    > management. There are a lot of wrappers out there, e.g.
    >
    > http://www.leastprivilege.com/DPAPITools.aspx
    >
    > the tool you are referring to is called aspnet_setreg - it uses DPAPI to
    > encrypt the section and places it into web.config - the config file then
    > refers to the reg key.
    >
    > in 2.0 you can encrypt nearly all config section out of the box using the
    > ProtectedConfiguration provider - there you have the choice of using DPAPI
    > or RSA keys.
    > There are some section that you can't encrypt (basically a chicken/egg
    > problem or section that have to be read before managed code is run) -
    > there again you have to use aspnet_setreg.
    >
    > My recommendation : use DPAPI (either the wrapped API in 1.1 or
    > protectedconfig in 2.0).
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Enterprise Library (either the June 2005 release for .NET 1.1 or the
    >> upcoming 2.0 release for .NET 2.0) can "magically" encrypt parts of
    >> your configuration file. You can also use the Ent Lib cryptography
    >> block to encrypt and decrypt arbitrary strings, so that will certainly
    >> work for what you want to do.
    >>
    >> Ent Lib also has a notion of a data access block that allows you to
    >> configure connection strings with a graphical tool and encrypt the
    >> whole section on the fly if you want. You can programmatically
    >> retrieve connection strings defined in the configuration if you want.
    >> Essentially, it offers are variety of ways to solve your problem
    >> easily.
    >>
    >> With .NET 1.1, you need the aspnet_regiis thing to encrypt parts of
    >> the config file, but .NET 2.0 has more options. I'm not really up on
    >> them yet though so I can't comment on how all of that new stuff works
    >> yet.
    >>
    >> Joe K.
    >>
    >> "FlyFishGuy" <> wrote in message
    >> news:...
    >>
    >>> I'm certainly OK with starting basic and becoming more aggressive as
    >>> my level of understanding increases. I think I like hardcoding the
    >>> key as opposed to putting it directly in web.config. I don't like to
    >>> hardcode anything, in general, but I'd rather do that with an
    >>> encryption key than the underlying data itself.
    >>>
    >>> Ivan's code is pretty straightforward, but I've had this vision
    >>> (based on some of the articles I've seen) that I could simply encrypt
    >>> the section in web.config and the framework would decrypt on-the-fly.
    >>> Perhaps this is only when using the aspnet_regiis method or perhaps
    >>> I'm just confused.
    >>>
    >>> Regarding the Enterprise Library, I've not heard of it before and I'm
    >>> all about high level classes and nice GUI's. I keep discovering neat
    >>> tools scattered about the place. It looks like 2.0 is not out yet,
    >>> but v1.1 is supposed to be compatible. I don't have much of a code
    >>> investment in 1.1 but I understand that many best practices have
    >>> changed. Should I just wait for 2.0 before diving in?
    >>>
    >>> Thanks Joe
    >>>
    >>> "Joe Kaplan (MVP - ADSI)" <>
    >>> wrote in message news:%...
    >>>
    >>>> The biggest decision for you here is how you want to store the
    >>>> encryption key. If you are ok with keeping the key in plain text in
    >>>> your web.config file or just hard-coding it in your code, then this
    >>>> is pretty easy. That won't ward off determined hackers, but it
    >>>> should prevent casual snooping.
    >>>>
    >>>> For samples of simple symmetric encryption going back and forth
    >>>> between strings (which is probably what you want), I like Ivan's
    >>>> sample on www.dotnetthis.com. It is C#, but easy to adapt/convert.
    >>>>
    >>>> I also like the crypto capabilities in Enterprise Library for doing
    >>>> this stuff as it makes it very simple to use and has nice config
    >>>> support for storing the key and a nice GUI for configuring all of
    >>>> it.
    >>>>
    >>>> Joe K.
    >>>>
    >>>> "FlyFishGuy" <> wrote in message
    >>>> news:...
    >>>>
    >>>>> I am trying to perform the most basic encryption of my connection
    >>>>> string in web.config and I am totally lost. Before someone flames
    >>>>> me for not researching before posting, let me tell you that I have
    >>>>> read literally dozens of explanations and blogs on this and I am
    >>>>> more confused than ever.
    >>>>>
    >>>>> Every article I have read starts out with stating what a breeze
    >>>>> this is to do, but by the time I get to the 3rd paragraph, either
    >>>>> my head is spinning with encryption technicalities or they assume
    >>>>> that I can run aspnet_regiis on the server. I don't host my web
    >>>>> server, like many people, and I find this assumption obnoxious. To
    >>>>> make matters worse, virtually every article I've read has a
    >>>>> different methodology to perform the encryption. I understand that
    >>>>> there are many ways to skin the same cat in .NET, but I'm looking
    >>>>> for simple, if it exists. I never used the 2005 beta, and I'm
    >>>>> guessing that many of these articles are referring to functionality
    >>>>> that has subsequently changed.
    >>>>>
    >>>>> I'm not trying to hide anything from the NSA. I simply wish to
    >>>>> prevent
    >>>>> some scumbag from trashing my site.
    >>>>> If I have to spend 40 hours becoming an encryption guru before I
    >>>>> can do
    >>>>> this, then that's fine. I just wish that someone would be up front
    >>>>> about
    >>>>> this and stop stating what a snap it is. If it really is a snap
    >>>>> could
    >>>>> someone please provide me a link to some code that is current,
    >>>>> accurate,
    >>>>> and unassuming. VB is my language, but I'll certainly settle for
    >>>>> some C#
    >>>>> code.
    >>>>> Thanks
    >>>>>

    >
    >
    FlyFishGuy, Jan 7, 2006
    #6
  7. hi,

    you mean classic ASP??

    sure - you can call DPAPI via COM Interop.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > My main concern is the decryption side of the equation. I'm using ASP
    > membership and profiling, but I have to do it on SQL Server instead of
    > SQL Express because my Web Host does not support Express. Currently, I
    > have simply 'overridden' the LocalSqlServer connection string to point
    > to my SQL Server DB.
    >
    > Will either of the suggested encryption models support me being able
    > to proceed this way? If I'm retrieving the connection string in my own
    > code, I don't see any issues, but since ASP is utilizing the same
    > connection string under the hood for membership etc, will I be able to
    > get ASP to decrypt the connection string for it's own use?
    >
    > Thanks
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> hi,
    >> the "best" way is to use DPAPI - because you don't have to do your
    >> own key
    >> management. There are a lot of wrappers out there, e.g.
    >> http://www.leastprivilege.com/DPAPITools.aspx
    >>
    >> the tool you are referring to is called aspnet_setreg - it uses DPAPI
    >> to encrypt the section and places it into web.config - the config
    >> file then refers to the reg key.
    >>
    >> in 2.0 you can encrypt nearly all config section out of the box using
    >> the
    >> ProtectedConfiguration provider - there you have the choice of using
    >> DPAPI
    >> or RSA keys.
    >> There are some section that you can't encrypt (basically a
    >> chicken/egg
    >> problem or section that have to be read before managed code is run) -
    >> there again you have to use aspnet_setreg.
    >> My recommendation : use DPAPI (either the wrapped API in 1.1 or
    >> protectedconfig in 2.0).
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Enterprise Library (either the June 2005 release for .NET 1.1 or the
    >>> upcoming 2.0 release for .NET 2.0) can "magically" encrypt parts of
    >>> your configuration file. You can also use the Ent Lib cryptography
    >>> block to encrypt and decrypt arbitrary strings, so that will
    >>> certainly work for what you want to do.
    >>>
    >>> Ent Lib also has a notion of a data access block that allows you to
    >>> configure connection strings with a graphical tool and encrypt the
    >>> whole section on the fly if you want. You can programmatically
    >>> retrieve connection strings defined in the configuration if you
    >>> want. Essentially, it offers are variety of ways to solve your
    >>> problem easily.
    >>>
    >>> With .NET 1.1, you need the aspnet_regiis thing to encrypt parts of
    >>> the config file, but .NET 2.0 has more options. I'm not really up
    >>> on them yet though so I can't comment on how all of that new stuff
    >>> works yet.
    >>>
    >>> Joe K.
    >>>
    >>> "FlyFishGuy" <> wrote in message
    >>> news:...
    >>>
    >>>> I'm certainly OK with starting basic and becoming more aggressive
    >>>> as my level of understanding increases. I think I like hardcoding
    >>>> the key as opposed to putting it directly in web.config. I don't
    >>>> like to hardcode anything, in general, but I'd rather do that with
    >>>> an encryption key than the underlying data itself.
    >>>>
    >>>> Ivan's code is pretty straightforward, but I've had this vision
    >>>> (based on some of the articles I've seen) that I could simply
    >>>> encrypt the section in web.config and the framework would decrypt
    >>>> on-the-fly. Perhaps this is only when using the aspnet_regiis
    >>>> method or perhaps I'm just confused.
    >>>>
    >>>> Regarding the Enterprise Library, I've not heard of it before and
    >>>> I'm all about high level classes and nice GUI's. I keep discovering
    >>>> neat tools scattered about the place. It looks like 2.0 is not out
    >>>> yet, but v1.1 is supposed to be compatible. I don't have much of a
    >>>> code investment in 1.1 but I understand that many best practices
    >>>> have changed. Should I just wait for 2.0 before diving in?
    >>>>
    >>>> Thanks Joe
    >>>>
    >>>> "Joe Kaplan (MVP - ADSI)"
    >>>> <> wrote in message
    >>>> news:%...
    >>>>
    >>>>> The biggest decision for you here is how you want to store the
    >>>>> encryption key. If you are ok with keeping the key in plain text
    >>>>> in your web.config file or just hard-coding it in your code, then
    >>>>> this is pretty easy. That won't ward off determined hackers, but
    >>>>> it should prevent casual snooping.
    >>>>>
    >>>>> For samples of simple symmetric encryption going back and forth
    >>>>> between strings (which is probably what you want), I like Ivan's
    >>>>> sample on www.dotnetthis.com. It is C#, but easy to
    >>>>> adapt/convert.
    >>>>>
    >>>>> I also like the crypto capabilities in Enterprise Library for
    >>>>> doing this stuff as it makes it very simple to use and has nice
    >>>>> config support for storing the key and a nice GUI for configuring
    >>>>> all of it.
    >>>>>
    >>>>> Joe K.
    >>>>>
    >>>>> "FlyFishGuy" <> wrote in message
    >>>>> news:...
    >>>>>
    >>>>>> I am trying to perform the most basic encryption of my connection
    >>>>>> string in web.config and I am totally lost. Before someone flames
    >>>>>> me for not researching before posting, let me tell you that I
    >>>>>> have read literally dozens of explanations and blogs on this and
    >>>>>> I am more confused than ever.
    >>>>>>
    >>>>>> Every article I have read starts out with stating what a breeze
    >>>>>> this is to do, but by the time I get to the 3rd paragraph, either
    >>>>>> my head is spinning with encryption technicalities or they assume
    >>>>>> that I can run aspnet_regiis on the server. I don't host my web
    >>>>>> server, like many people, and I find this assumption obnoxious.
    >>>>>> To make matters worse, virtually every article I've read has a
    >>>>>> different methodology to perform the encryption. I understand
    >>>>>> that there are many ways to skin the same cat in .NET, but I'm
    >>>>>> looking for simple, if it exists. I never used the 2005 beta, and
    >>>>>> I'm guessing that many of these articles are referring to
    >>>>>> functionality that has subsequently changed.
    >>>>>>
    >>>>>> I'm not trying to hide anything from the NSA. I simply wish to
    >>>>>> prevent
    >>>>>> some scumbag from trashing my site.
    >>>>>> If I have to spend 40 hours becoming an encryption guru before I
    >>>>>> can do
    >>>>>> this, then that's fine. I just wish that someone would be up
    >>>>>> front
    >>>>>> about
    >>>>>> this and stop stating what a snap it is. If it really is a snap
    >>>>>> could
    >>>>>> someone please provide me a link to some code that is current,
    >>>>>> accurate,
    >>>>>> and unassuming. VB is my language, but I'll certainly settle for
    >>>>>> some C#
    >>>>>> code.
    >>>>>> Thanks
    Dominick Baier [DevelopMentor], Jan 7, 2006
    #7
  8. FlyFishGuy

    FlyFishGuy Guest

    I apologize for being a lazy typist. I do mean ASP.NET... does anyone still
    use ASP ;)

    I've seen DPAPI examples before, but many have been confusing or incomplete.
    I think I found a simple straightforward example at
    http://msdn2.microsoft.com/en-us/li...tion.dpapiprotectedconfigurationprovider.aspx

    It appears that I don't have to do anything else after encrypting my
    web.config section and ASP.NET membership services will be able to read the
    encrypted data without my intervention. This is what I want if that is true.

    It also looks like DPAPI uses a machine specific key, so I'll need to run
    the encryption code on the production box. I believe I'll have to publish
    web.config unencrypted and then create an aspx (which only I have access to)
    so that I can invoke the encryption code remotely.

    Am I going down the right path?

    Thanks

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > hi,
    > you mean classic ASP??
    >
    > sure - you can call DPAPI via COM Interop.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> My main concern is the decryption side of the equation. I'm using ASP
    >> membership and profiling, but I have to do it on SQL Server instead of
    >> SQL Express because my Web Host does not support Express. Currently, I
    >> have simply 'overridden' the LocalSqlServer connection string to point
    >> to my SQL Server DB.
    >>
    >> Will either of the suggested encryption models support me being able
    >> to proceed this way? If I'm retrieving the connection string in my own
    >> code, I don't see any issues, but since ASP is utilizing the same
    >> connection string under the hood for membership etc, will I be able to
    >> get ASP to decrypt the connection string for it's own use?
    >>
    >> Thanks
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> hi,
    >>> the "best" way is to use DPAPI - because you don't have to do your
    >>> own key
    >>> management. There are a lot of wrappers out there, e.g.
    >>> http://www.leastprivilege.com/DPAPITools.aspx
    >>>
    >>> the tool you are referring to is called aspnet_setreg - it uses DPAPI
    >>> to encrypt the section and places it into web.config - the config
    >>> file then refers to the reg key.
    >>>
    >>> in 2.0 you can encrypt nearly all config section out of the box using
    >>> the
    >>> ProtectedConfiguration provider - there you have the choice of using
    >>> DPAPI
    >>> or RSA keys.
    >>> There are some section that you can't encrypt (basically a
    >>> chicken/egg
    >>> problem or section that have to be read before managed code is run) -
    >>> there again you have to use aspnet_setreg.
    >>> My recommendation : use DPAPI (either the wrapped API in 1.1 or
    >>> protectedconfig in 2.0).
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Enterprise Library (either the June 2005 release for .NET 1.1 or the
    >>>> upcoming 2.0 release for .NET 2.0) can "magically" encrypt parts of
    >>>> your configuration file. You can also use the Ent Lib cryptography
    >>>> block to encrypt and decrypt arbitrary strings, so that will
    >>>> certainly work for what you want to do.
    >>>>
    >>>> Ent Lib also has a notion of a data access block that allows you to
    >>>> configure connection strings with a graphical tool and encrypt the
    >>>> whole section on the fly if you want. You can programmatically
    >>>> retrieve connection strings defined in the configuration if you
    >>>> want. Essentially, it offers are variety of ways to solve your
    >>>> problem easily.
    >>>>
    >>>> With .NET 1.1, you need the aspnet_regiis thing to encrypt parts of
    >>>> the config file, but .NET 2.0 has more options. I'm not really up
    >>>> on them yet though so I can't comment on how all of that new stuff
    >>>> works yet.
    >>>>
    >>>> Joe K.
    >>>>
    >>>> "FlyFishGuy" <> wrote in message
    >>>> news:...
    >>>>
    >>>>> I'm certainly OK with starting basic and becoming more aggressive
    >>>>> as my level of understanding increases. I think I like hardcoding
    >>>>> the key as opposed to putting it directly in web.config. I don't
    >>>>> like to hardcode anything, in general, but I'd rather do that with
    >>>>> an encryption key than the underlying data itself.
    >>>>>
    >>>>> Ivan's code is pretty straightforward, but I've had this vision
    >>>>> (based on some of the articles I've seen) that I could simply
    >>>>> encrypt the section in web.config and the framework would decrypt
    >>>>> on-the-fly. Perhaps this is only when using the aspnet_regiis
    >>>>> method or perhaps I'm just confused.
    >>>>>
    >>>>> Regarding the Enterprise Library, I've not heard of it before and
    >>>>> I'm all about high level classes and nice GUI's. I keep discovering
    >>>>> neat tools scattered about the place. It looks like 2.0 is not out
    >>>>> yet, but v1.1 is supposed to be compatible. I don't have much of a
    >>>>> code investment in 1.1 but I understand that many best practices
    >>>>> have changed. Should I just wait for 2.0 before diving in?
    >>>>>
    >>>>> Thanks Joe
    >>>>>
    >>>>> "Joe Kaplan (MVP - ADSI)"
    >>>>> <> wrote in message
    >>>>> news:%...
    >>>>>
    >>>>>> The biggest decision for you here is how you want to store the
    >>>>>> encryption key. If you are ok with keeping the key in plain text
    >>>>>> in your web.config file or just hard-coding it in your code, then
    >>>>>> this is pretty easy. That won't ward off determined hackers, but
    >>>>>> it should prevent casual snooping.
    >>>>>>
    >>>>>> For samples of simple symmetric encryption going back and forth
    >>>>>> between strings (which is probably what you want), I like Ivan's
    >>>>>> sample on www.dotnetthis.com. It is C#, but easy to
    >>>>>> adapt/convert.
    >>>>>>
    >>>>>> I also like the crypto capabilities in Enterprise Library for
    >>>>>> doing this stuff as it makes it very simple to use and has nice
    >>>>>> config support for storing the key and a nice GUI for configuring
    >>>>>> all of it.
    >>>>>>
    >>>>>> Joe K.
    >>>>>>
    >>>>>> "FlyFishGuy" <> wrote in message
    >>>>>> news:...
    >>>>>>
    >>>>>>> I am trying to perform the most basic encryption of my connection
    >>>>>>> string in web.config and I am totally lost. Before someone flames
    >>>>>>> me for not researching before posting, let me tell you that I
    >>>>>>> have read literally dozens of explanations and blogs on this and
    >>>>>>> I am more confused than ever.
    >>>>>>>
    >>>>>>> Every article I have read starts out with stating what a breeze
    >>>>>>> this is to do, but by the time I get to the 3rd paragraph, either
    >>>>>>> my head is spinning with encryption technicalities or they assume
    >>>>>>> that I can run aspnet_regiis on the server. I don't host my web
    >>>>>>> server, like many people, and I find this assumption obnoxious.
    >>>>>>> To make matters worse, virtually every article I've read has a
    >>>>>>> different methodology to perform the encryption. I understand
    >>>>>>> that there are many ways to skin the same cat in .NET, but I'm
    >>>>>>> looking for simple, if it exists. I never used the 2005 beta, and
    >>>>>>> I'm guessing that many of these articles are referring to
    >>>>>>> functionality that has subsequently changed.
    >>>>>>>
    >>>>>>> I'm not trying to hide anything from the NSA. I simply wish to
    >>>>>>> prevent
    >>>>>>> some scumbag from trashing my site.
    >>>>>>> If I have to spend 40 hours becoming an encryption guru before I
    >>>>>>> can do
    >>>>>>> this, then that's fine. I just wish that someone would be up
    >>>>>>> front
    >>>>>>> about
    >>>>>>> this and stop stating what a snap it is. If it really is a snap
    >>>>>>> could
    >>>>>>> someone please provide me a link to some code that is current,
    >>>>>>> accurate,
    >>>>>>> and unassuming. VB is my language, but I'll certainly settle for
    >>>>>>> some C#
    >>>>>>> code.
    >>>>>>> Thanks

    >
    >
    FlyFishGuy, Jan 8, 2006
    #8
  9. hi,

    yes exactly.

    there is a command line tool called aspnet_regiis that can do the encryption.
    or you write a page like you said.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I apologize for being a lazy typist. I do mean ASP.NET... does anyone
    > still use ASP ;)
    >
    > I've seen DPAPI examples before, but many have been confusing or
    > incomplete. I think I found a simple straightforward example at
    > http://msdn2.microsoft.com/en-us/library/system.configuration.dpapipro
    > tectedconfigurationprovider.aspx
    >
    > It appears that I don't have to do anything else after encrypting my
    > web.config section and ASP.NET membership services will be able to
    > read the encrypted data without my intervention. This is what I want
    > if that is true.
    >
    > It also looks like DPAPI uses a machine specific key, so I'll need to
    > run the encryption code on the production box. I believe I'll have to
    > publish web.config unencrypted and then create an aspx (which only I
    > have access to) so that I can invoke the encryption code remotely.
    >
    > Am I going down the right path?
    >
    > Thanks
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> hi,
    >> you mean classic ASP??
    >> sure - you can call DPAPI via COM Interop.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> My main concern is the decryption side of the equation. I'm using
    >>> ASP membership and profiling, but I have to do it on SQL Server
    >>> instead of SQL Express because my Web Host does not support Express.
    >>> Currently, I have simply 'overridden' the LocalSqlServer connection
    >>> string to point to my SQL Server DB.
    >>>
    >>> Will either of the suggested encryption models support me being able
    >>> to proceed this way? If I'm retrieving the connection string in my
    >>> own code, I don't see any issues, but since ASP is utilizing the
    >>> same connection string under the hood for membership etc, will I be
    >>> able to get ASP to decrypt the connection string for it's own use?
    >>>
    >>> Thanks
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> hi,
    >>>> the "best" way is to use DPAPI - because you don't have to do your
    >>>> own key
    >>>> management. There are a lot of wrappers out there, e.g.
    >>>> http://www.leastprivilege.com/DPAPITools.aspx
    >>>> the tool you are referring to is called aspnet_setreg - it uses
    >>>> DPAPI to encrypt the section and places it into web.config - the
    >>>> config file then refers to the reg key.
    >>>>
    >>>> in 2.0 you can encrypt nearly all config section out of the box
    >>>> using
    >>>> the
    >>>> ProtectedConfiguration provider - there you have the choice of
    >>>> using
    >>>> DPAPI
    >>>> or RSA keys.
    >>>> There are some section that you can't encrypt (basically a
    >>>> chicken/egg
    >>>> problem or section that have to be read before managed code is run)
    >>>> -
    >>>> there again you have to use aspnet_setreg.
    >>>> My recommendation : use DPAPI (either the wrapped API in 1.1 or
    >>>> protectedconfig in 2.0).
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Enterprise Library (either the June 2005 release for .NET 1.1 or
    >>>>> the upcoming 2.0 release for .NET 2.0) can "magically" encrypt
    >>>>> parts of your configuration file. You can also use the Ent Lib
    >>>>> cryptography block to encrypt and decrypt arbitrary strings, so
    >>>>> that will certainly work for what you want to do.
    >>>>>
    >>>>> Ent Lib also has a notion of a data access block that allows you
    >>>>> to configure connection strings with a graphical tool and encrypt
    >>>>> the whole section on the fly if you want. You can
    >>>>> programmatically retrieve connection strings defined in the
    >>>>> configuration if you want. Essentially, it offers are variety of
    >>>>> ways to solve your problem easily.
    >>>>>
    >>>>> With .NET 1.1, you need the aspnet_regiis thing to encrypt parts
    >>>>> of the config file, but .NET 2.0 has more options. I'm not really
    >>>>> up on them yet though so I can't comment on how all of that new
    >>>>> stuff works yet.
    >>>>>
    >>>>> Joe K.
    >>>>>
    >>>>> "FlyFishGuy" <> wrote in message
    >>>>> news:...
    >>>>>
    >>>>>> I'm certainly OK with starting basic and becoming more aggressive
    >>>>>> as my level of understanding increases. I think I like hardcoding
    >>>>>> the key as opposed to putting it directly in web.config. I don't
    >>>>>> like to hardcode anything, in general, but I'd rather do that
    >>>>>> with an encryption key than the underlying data itself.
    >>>>>>
    >>>>>> Ivan's code is pretty straightforward, but I've had this vision
    >>>>>> (based on some of the articles I've seen) that I could simply
    >>>>>> encrypt the section in web.config and the framework would decrypt
    >>>>>> on-the-fly. Perhaps this is only when using the aspnet_regiis
    >>>>>> method or perhaps I'm just confused.
    >>>>>>
    >>>>>> Regarding the Enterprise Library, I've not heard of it before and
    >>>>>> I'm all about high level classes and nice GUI's. I keep
    >>>>>> discovering neat tools scattered about the place. It looks like
    >>>>>> 2.0 is not out yet, but v1.1 is supposed to be compatible. I
    >>>>>> don't have much of a code investment in 1.1 but I understand that
    >>>>>> many best practices have changed. Should I just wait for 2.0
    >>>>>> before diving in?
    >>>>>>
    >>>>>> Thanks Joe
    >>>>>>
    >>>>>> "Joe Kaplan (MVP - ADSI)"
    >>>>>> <> wrote in message
    >>>>>> news:%...
    >>>>>>
    >>>>>>> The biggest decision for you here is how you want to store the
    >>>>>>> encryption key. If you are ok with keeping the key in plain
    >>>>>>> text in your web.config file or just hard-coding it in your
    >>>>>>> code, then this is pretty easy. That won't ward off determined
    >>>>>>> hackers, but it should prevent casual snooping.
    >>>>>>>
    >>>>>>> For samples of simple symmetric encryption going back and forth
    >>>>>>> between strings (which is probably what you want), I like Ivan's
    >>>>>>> sample on www.dotnetthis.com. It is C#, but easy to
    >>>>>>> adapt/convert.
    >>>>>>>
    >>>>>>> I also like the crypto capabilities in Enterprise Library for
    >>>>>>> doing this stuff as it makes it very simple to use and has nice
    >>>>>>> config support for storing the key and a nice GUI for
    >>>>>>> configuring all of it.
    >>>>>>>
    >>>>>>> Joe K.
    >>>>>>>
    >>>>>>> "FlyFishGuy" <> wrote in message
    >>>>>>> news:...
    >>>>>>>
    >>>>>>>> I am trying to perform the most basic encryption of my
    >>>>>>>> connection string in web.config and I am totally lost. Before
    >>>>>>>> someone flames me for not researching before posting, let me
    >>>>>>>> tell you that I have read literally dozens of explanations and
    >>>>>>>> blogs on this and I am more confused than ever.
    >>>>>>>>
    >>>>>>>> Every article I have read starts out with stating what a breeze
    >>>>>>>> this is to do, but by the time I get to the 3rd paragraph,
    >>>>>>>> either my head is spinning with encryption technicalities or
    >>>>>>>> they assume that I can run aspnet_regiis on the server. I don't
    >>>>>>>> host my web server, like many people, and I find this
    >>>>>>>> assumption obnoxious. To make matters worse, virtually every
    >>>>>>>> article I've read has a different methodology to perform the
    >>>>>>>> encryption. I understand that there are many ways to skin the
    >>>>>>>> same cat in .NET, but I'm looking for simple, if it exists. I
    >>>>>>>> never used the 2005 beta, and I'm guessing that many of these
    >>>>>>>> articles are referring to functionality that has subsequently
    >>>>>>>> changed.
    >>>>>>>>
    >>>>>>>> I'm not trying to hide anything from the NSA. I simply wish to
    >>>>>>>> prevent
    >>>>>>>> some scumbag from trashing my site.
    >>>>>>>> If I have to spend 40 hours becoming an encryption guru before
    >>>>>>>> I
    >>>>>>>> can do
    >>>>>>>> this, then that's fine. I just wish that someone would be up
    >>>>>>>> front
    >>>>>>>> about
    >>>>>>>> this and stop stating what a snap it is. If it really is a snap
    >>>>>>>> could
    >>>>>>>> someone please provide me a link to some code that is current,
    >>>>>>>> accurate,
    >>>>>>>> and unassuming. VB is my language, but I'll certainly settle
    >>>>>>>> for
    >>>>>>>> some C#
    >>>>>>>> code.
    >>>>>>>> Thanks
    Dominick Baier [DevelopMentor], Jan 8, 2006
    #9
  10. FlyFishGuy

    FlyFishGuy Guest

    Well I stumbled for a few minutes until I figured out I needed to use
    WebConfigurationManager.OpenWebConfiguration() instead of
    ConfigurationManager.OpenExeConfiguration() in the sample code I found on
    MSDN, but this is EXACTLY what I need.

    It works like a charm, and I have everything I need in a couple dozen lines
    of code. I'm just getting started in .NET and this is my first post to one
    of the newsgroups. I kick myself when I think how much time I spent sifting
    through the web for a practical solution.

    I thank you Dominick and Joe for your time and your assistance.


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > hi,
    > yes exactly.
    >
    > there is a command line tool called aspnet_regiis that can do the
    > encryption. or you write a page like you said.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I apologize for being a lazy typist. I do mean ASP.NET... does anyone
    >> still use ASP ;)
    >>
    >> I've seen DPAPI examples before, but many have been confusing or
    >> incomplete. I think I found a simple straightforward example at
    >> http://msdn2.microsoft.com/en-us/library/system.configuration.dpapipro
    >> tectedconfigurationprovider.aspx
    >>
    >> It appears that I don't have to do anything else after encrypting my
    >> web.config section and ASP.NET membership services will be able to
    >> read the encrypted data without my intervention. This is what I want
    >> if that is true.
    >>
    >> It also looks like DPAPI uses a machine specific key, so I'll need to
    >> run the encryption code on the production box. I believe I'll have to
    >> publish web.config unencrypted and then create an aspx (which only I
    >> have access to) so that I can invoke the encryption code remotely.
    >>
    >> Am I going down the right path?
    >>
    >> Thanks
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> hi,
    >>> you mean classic ASP??
    >>> sure - you can call DPAPI via COM Interop.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> My main concern is the decryption side of the equation. I'm using
    >>>> ASP membership and profiling, but I have to do it on SQL Server
    >>>> instead of SQL Express because my Web Host does not support Express.
    >>>> Currently, I have simply 'overridden' the LocalSqlServer connection
    >>>> string to point to my SQL Server DB.
    >>>>
    >>>> Will either of the suggested encryption models support me being able
    >>>> to proceed this way? If I'm retrieving the connection string in my
    >>>> own code, I don't see any issues, but since ASP is utilizing the
    >>>> same connection string under the hood for membership etc, will I be
    >>>> able to get ASP to decrypt the connection string for it's own use?
    >>>>
    >>>> Thanks
    >>>>
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> hi,
    >>>>> the "best" way is to use DPAPI - because you don't have to do your
    >>>>> own key
    >>>>> management. There are a lot of wrappers out there, e.g.
    >>>>> http://www.leastprivilege.com/DPAPITools.aspx
    >>>>> the tool you are referring to is called aspnet_setreg - it uses
    >>>>> DPAPI to encrypt the section and places it into web.config - the
    >>>>> config file then refers to the reg key.
    >>>>>
    >>>>> in 2.0 you can encrypt nearly all config section out of the box
    >>>>> using
    >>>>> the
    >>>>> ProtectedConfiguration provider - there you have the choice of
    >>>>> using
    >>>>> DPAPI
    >>>>> or RSA keys.
    >>>>> There are some section that you can't encrypt (basically a
    >>>>> chicken/egg
    >>>>> problem or section that have to be read before managed code is run)
    >>>>> -
    >>>>> there again you have to use aspnet_setreg.
    >>>>> My recommendation : use DPAPI (either the wrapped API in 1.1 or
    >>>>> protectedconfig in 2.0).
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Enterprise Library (either the June 2005 release for .NET 1.1 or
    >>>>>> the upcoming 2.0 release for .NET 2.0) can "magically" encrypt
    >>>>>> parts of your configuration file. You can also use the Ent Lib
    >>>>>> cryptography block to encrypt and decrypt arbitrary strings, so
    >>>>>> that will certainly work for what you want to do.
    >>>>>>
    >>>>>> Ent Lib also has a notion of a data access block that allows you
    >>>>>> to configure connection strings with a graphical tool and encrypt
    >>>>>> the whole section on the fly if you want. You can
    >>>>>> programmatically retrieve connection strings defined in the
    >>>>>> configuration if you want. Essentially, it offers are variety of
    >>>>>> ways to solve your problem easily.
    >>>>>>
    >>>>>> With .NET 1.1, you need the aspnet_regiis thing to encrypt parts
    >>>>>> of the config file, but .NET 2.0 has more options. I'm not really
    >>>>>> up on them yet though so I can't comment on how all of that new
    >>>>>> stuff works yet.
    >>>>>>
    >>>>>> Joe K.
    >>>>>>
    >>>>>> "FlyFishGuy" <> wrote in message
    >>>>>> news:...
    >>>>>>
    >>>>>>> I'm certainly OK with starting basic and becoming more aggressive
    >>>>>>> as my level of understanding increases. I think I like hardcoding
    >>>>>>> the key as opposed to putting it directly in web.config. I don't
    >>>>>>> like to hardcode anything, in general, but I'd rather do that
    >>>>>>> with an encryption key than the underlying data itself.
    >>>>>>>
    >>>>>>> Ivan's code is pretty straightforward, but I've had this vision
    >>>>>>> (based on some of the articles I've seen) that I could simply
    >>>>>>> encrypt the section in web.config and the framework would decrypt
    >>>>>>> on-the-fly. Perhaps this is only when using the aspnet_regiis
    >>>>>>> method or perhaps I'm just confused.
    >>>>>>>
    >>>>>>> Regarding the Enterprise Library, I've not heard of it before and
    >>>>>>> I'm all about high level classes and nice GUI's. I keep
    >>>>>>> discovering neat tools scattered about the place. It looks like
    >>>>>>> 2.0 is not out yet, but v1.1 is supposed to be compatible. I
    >>>>>>> don't have much of a code investment in 1.1 but I understand that
    >>>>>>> many best practices have changed. Should I just wait for 2.0
    >>>>>>> before diving in?
    >>>>>>>
    >>>>>>> Thanks Joe
    >>>>>>>
    >>>>>>> "Joe Kaplan (MVP - ADSI)"
    >>>>>>> <> wrote in message
    >>>>>>> news:%...
    >>>>>>>
    >>>>>>>> The biggest decision for you here is how you want to store the
    >>>>>>>> encryption key. If you are ok with keeping the key in plain
    >>>>>>>> text in your web.config file or just hard-coding it in your
    >>>>>>>> code, then this is pretty easy. That won't ward off determined
    >>>>>>>> hackers, but it should prevent casual snooping.
    >>>>>>>>
    >>>>>>>> For samples of simple symmetric encryption going back and forth
    >>>>>>>> between strings (which is probably what you want), I like Ivan's
    >>>>>>>> sample on www.dotnetthis.com. It is C#, but easy to
    >>>>>>>> adapt/convert.
    >>>>>>>>
    >>>>>>>> I also like the crypto capabilities in Enterprise Library for
    >>>>>>>> doing this stuff as it makes it very simple to use and has nice
    >>>>>>>> config support for storing the key and a nice GUI for
    >>>>>>>> configuring all of it.
    >>>>>>>>
    >>>>>>>> Joe K.
    >>>>>>>>
    >>>>>>>> "FlyFishGuy" <> wrote in message
    >>>>>>>> news:...
    >>>>>>>>
    >>>>>>>>> I am trying to perform the most basic encryption of my
    >>>>>>>>> connection string in web.config and I am totally lost. Before
    >>>>>>>>> someone flames me for not researching before posting, let me
    >>>>>>>>> tell you that I have read literally dozens of explanations and
    >>>>>>>>> blogs on this and I am more confused than ever.
    >>>>>>>>>
    >>>>>>>>> Every article I have read starts out with stating what a breeze
    >>>>>>>>> this is to do, but by the time I get to the 3rd paragraph,
    >>>>>>>>> either my head is spinning with encryption technicalities or
    >>>>>>>>> they assume that I can run aspnet_regiis on the server. I don't
    >>>>>>>>> host my web server, like many people, and I find this
    >>>>>>>>> assumption obnoxious. To make matters worse, virtually every
    >>>>>>>>> article I've read has a different methodology to perform the
    >>>>>>>>> encryption. I understand that there are many ways to skin the
    >>>>>>>>> same cat in .NET, but I'm looking for simple, if it exists. I
    >>>>>>>>> never used the 2005 beta, and I'm guessing that many of these
    >>>>>>>>> articles are referring to functionality that has subsequently
    >>>>>>>>> changed.
    >>>>>>>>>
    >>>>>>>>> I'm not trying to hide anything from the NSA. I simply wish to
    >>>>>>>>> prevent
    >>>>>>>>> some scumbag from trashing my site.
    >>>>>>>>> If I have to spend 40 hours becoming an encryption guru before
    >>>>>>>>> I
    >>>>>>>>> can do
    >>>>>>>>> this, then that's fine. I just wish that someone would be up
    >>>>>>>>> front
    >>>>>>>>> about
    >>>>>>>>> this and stop stating what a snap it is. If it really is a snap
    >>>>>>>>> could
    >>>>>>>>> someone please provide me a link to some code that is current,
    >>>>>>>>> accurate,
    >>>>>>>>> and unassuming. VB is my language, but I'll certainly settle
    >>>>>>>>> for
    >>>>>>>>> some C#
    >>>>>>>>> code.
    >>>>>>>>> Thanks

    >
    >
    FlyFishGuy, Jan 8, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Onur Bozkurt

    encrypting query string

    Onur Bozkurt, Jul 23, 2003, in forum: ASP .Net
    Replies:
    8
    Views:
    591
    Munsifali Rashid
    Jul 24, 2003
  2. VB Programmer

    Encrypting/Decrypting Connection String

    VB Programmer, Nov 29, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    7,615
    Sahil Malik
    Nov 30, 2004
  3. Andy G

    Encrypting a query string in URL

    Andy G, May 3, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    8,376
  4. Replies:
    1
    Views:
    514
  5. VR
    Replies:
    3
    Views:
    286
    Alek Davis
    Sep 9, 2003
Loading...

Share This Page