【转】Encrypt ConnectionString in Web.Config 【加密ASP.NET web.config数据库链接字串】

原文链接：https://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config

web.config中一般会存放一些关键的信息，比如数据库链接字串，如果没有加密，就会有安全风险。

本次文章转载一个印度小哥写的教程，使用.net framwork自带的aspnet_regiis组件为web.config加密

Introduction

The tip gives you information about how to encrypt the connection string in Web.Config to increase the security and keep the connection with the database secure. There is so much other sensitive information that can be encrypted but in this tip, I'll particularly talk about encrypting the ConnectionString in Web.Config file.

Why It Is Important?

Encrypting sensitive sections of the Web.Config is important because they are just that, sensitive. Think about production Web.Config file. It may contain all information that requires running your web application. There are often passwords for SQL database connections, SMTP server, API Keys, or other critical information. In addition to this, Web.Config files are usually treated as just another source code file, that means, any developer on the team, or more accurately anyone with access to the source code, can see what information is stored in Web.Config file.

Encrypting the Connection String

In our example, we will encrypt ConnectionString in our Web.Config file.

Before Encrypting Web.Config

If you look at the below Config file, it can be easily readable. This doesn't seem to be secure if anyone has access to your Web.Config file.

Hide Copy Code

<configuration>

  <connectionStrings>

    <add name="SqlServices" connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />

  </connectionStrings>

</configuration>

Encrypting Web.Config

Open Command Prompt with Administrator privileges

At the Command Prompt, enter:

Hide Copy Code

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319

In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString:
Hide Copy Code
```
ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"
```
Use Aspnet_regiis.exe tool with the –pef option and specify the application path as shown above.

Note: The parameter "connectionStrings" is case sensitive.

After Encrypting Web.Config

After encrypting your ConnectionStrings section, your ConnectionStrings will not be in a readable format.

Hide Shrink

Copy Code

<configuration>

  <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">

    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"

      xmlns="http://www.w3.org/2001/04/xmlenc#">

      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">

          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

            <KeyName>Rsa Key</KeyName>

          </KeyInfo>

          <CipherData>

            <CipherValue>ZbDTF00MYzUUW5U3w3PU0rfiAH1UKhvuLSNWPmB/YifBKne6HAWfVc3CnKVimyP8SFyamaR5oAIAxj/xavfpox8EOYXNI+afsksiuA5huSDupCZKNuXq+VCZrdIyn6YOq+W7s3Ojlu7q9VwKcoKurl28l2hcPvWkBk11KYB7hr0=</CipherValue>

          </CipherData>

        </EncryptedKey>

      </KeyInfo>

      <CipherData>

        <CipherValue>42IPPRUjJxCNDHEBLCAJI4/NyLpLueZSBzUXO69lVdZU8+nLpxO+opnbZNxqddyzNnbCO1Uk2Da3ljExkqnLIxT2zs90JAhZvJ5ljIgCipq7ZEp7zHOpvTH9fBGoZJJWhgdddOrHZsLDE9mILjlvBHDhPQrYcMHtY6oLIbxJq92it82iBJv0fS7v1S/o0p4hAtfky+6hXCZWSKUJHr88NDrKe2EEK3mazD2QD5Ozf/w=</CipherValue>

      </CipherData>

    </EncryptedData>

  </connectionStrings>

</configuration>

Accessing Decrypted Configuration Settings

It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code. Isn't that interesting?

Hide Copy Code

string ConnString = ConfigurationManager.ConnectionStrings[1].ToString();

Decrypting the Connection String

Is it possible to decrypt my Web.Config so that I can read it in original format?

Yes, it is possible.

Simply perform the following command to decrypt the connectionStrings element in the Web.config file.

Hide Copy Code

ASPNET_REGIIS -pdf "connectionStrings" "D:\Articles\EncryptWebConfig"

Note: The parameter "connectionStrings" is case sensitive.

Questions and Answers

1. You might ask me a question if Web.Config file can be encrypted and decrypted using ASPNET_REGIIS then anyone who has access to Web.Config file can decrypt the content, right?

To answer this question, I would say no, if you encrypt your Config file, then your machine would store your keys and if you copy the Config file to a different system and try to decrypt it, then you might get an error.

Pros

Web.Config sensitive information is not in a readable condition (after encryption)
You don't have to explicitly write code to decrypt the Web.Config file as ASP.NET automatically decrypts the configuration and processes your request

Cons

You can't modify the encrypted content on the fly. It requires you to decrypt the content before editing.

Points of Interest

Web.Config encryption only takes a couple moments and provides much more security than a clear-text file. It may not be enough to thwart a hacker that has full access to your entire server.

I'm encrypting all my sensitive data stored in Web.Config after learning the concept of encryption. How about you?