R
ryan.d.rembaum
I have an ASPX form (.net) that has a connection string in the
web.config file. I have been trying to figure out how to encrypt the
string and have stumbled across the Win32 DPAPI as the recommend tool
of choice since it does not require you store the keys anywhere. I
have a few questions though. If you plan to migrate to a new server,
change the account the the web service runs under, or if the server
were to crash requiring, say, the OS be reloaded, would all be lost or
would the system be able to get the decrypt/encrypt keys through some
sort of domain backup? If the keys are retreivable, then why do people
not recommend encrypting database passwords in this manner, since the
web server could request the encrypted password, unencrypt it and
compare it to the password entered.
Lastly, I was reading that a password might be reuqired to start the
encryption process off. If this is the case, doesn't that bring me
back to the problem of where to store the password?
Thanks,
Ryan
web.config file. I have been trying to figure out how to encrypt the
string and have stumbled across the Win32 DPAPI as the recommend tool
of choice since it does not require you store the keys anywhere. I
have a few questions though. If you plan to migrate to a new server,
change the account the the web service runs under, or if the server
were to crash requiring, say, the OS be reloaded, would all be lost or
would the system be able to get the decrypt/encrypt keys through some
sort of domain backup? If the keys are retreivable, then why do people
not recommend encrypting database passwords in this manner, since the
web server could request the encrypted password, unencrypt it and
compare it to the password entered.
Lastly, I was reading that a password might be reuqired to start the
encryption process off. If this is the case, doesn't that bring me
back to the problem of where to store the password?
Thanks,
Ryan