Web.config encryption in shared hosting scenario

Discussion in 'ASP .Net Security' started by Jazza, May 18, 2007.

  1. Jazza

    Jazza Guest

    Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.

    I have been using the Personal Web Site Starter Kit and have successfully
    uploaded the site to a shared hosting provider. I am connecting to the SQL
    database via SQL authentication rather than Windows authentication, as I have
    no control over the Windows user accounts. This means the SQL user name and
    password are in clear text in the connection string in web.config.

    Therefore, best practice dictates that I encrypt the web.config file to hide
    the SQL login details. But the only way to encrypt a section of the config
    file is to run aspnet_regiis.exe on the server, to which I have no access.

    What are my options, if any, for protecting my config file? Does anyone know
    of any resources on how to create a custom encryption scheme?


    Jazza, May 18, 2007
    1. Advertisements

  2. Hello Jazza,

    I saw your post because I have a similar problem.

    I just begin to search for a solution because the customer does not allow
    access to the web server where my application has to be deployed. I would
    like to encrypt the database connection string located in the web.config.

    Did you found a solution to this problem? Thanks

    Adriano Labate, Jun 13, 2007
    1. Advertisements

  3. Jazza

    Jazza Guest


    The answer I eventually got was that you can create a custom encryption
    provider based on one of the built-in providers; you encryt the web.config
    file using the custom scheme. The key used to encrypt the file is then saved
    in a file that resides in a secure part of your web application.

    You can then decrypt the web.config file using the same key.

    I haven't implemented this as I decided that it was not worth the effort
    Jazza, Jun 13, 2007
  4. You can do it programmatically.

    Open the config using WebConfigurationManager, get the section using GetSection(),
    and call Protect() on the SectionInformation you get back.
    Dominick Baier, Jun 13, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.