【转】Encrypt ConnectionString in Web.Config 【加密ASP.NET web.config数据库链接字串】
原文链接:https://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
web.config中一般会存放一些关键的信息,比如数据库链接字串,如果没有加密,就会有安全风险。
本次文章转载一个印度小哥写的教程,使用.net framwork自带的aspnet_regiis组件为web.config加密
Introduction
The tip gives you information about how to encrypt the connection string in Web.Config to increase the security and keep the connection with the database secure. There is so much other sensitive information that can be encrypted but in this tip, I'll particularly talk about encrypting the ConnectionString
in Web.Config file.
Why It Is Important?
Encrypting sensitive sections of the Web.Config is important because they are just that, sensitive. Think about production Web.Config file. It may contain all information that requires running your web application. There are often passwords for SQL database connections, SMTP server, API Keys, or other critical information. In addition to this, Web.Config files are usually treated as just another source code file, that means, any developer on the team, or more accurately anyone with access to the source code, can see what information is stored in Web.Config file.
Encrypting the Connection String
In our example, we will encrypt ConnectionString
in our Web.Config file.
Before Encrypting Web.Config
If you look at the below Config file, it can be easily readable. This doesn't seem to be secure if anyone has access to your Web.Config file.
<configuration>
<connectionStrings>
<add name="SqlServices" connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
</connectionStrings>
</configuration>
Encrypting Web.Config
- Open Command Prompt with Administrator privileges
- At the Command Prompt, enter:
Hide Copy Code
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
- In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the
ConnectionString
:Hide Copy CodeASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"
Use Aspnet_regiis.exe tool with the
–pef
option and specify the application path as shown above.Note: The parameter "
connectionStrings
" is case sensitive.
After Encrypting Web.Config
After encrypting your ConnectionStrings
section, your ConnectionStrings
will not be in a readable format.

<configuration>
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>ZbDTF00MYzUUW5U3w3PU0rfiAH1UKhvuLSNWPmB/YifBKne6HAWfVc3CnKVimyP8SFyamaR5oAIAxj/xavfpox8EOYXNI+afsksiuA5huSDupCZKNuXq+VCZrdIyn6YOq+W7s3Ojlu7q9VwKcoKurl28l2hcPvWkBk11KYB7hr0=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>42IPPRUjJxCNDHEBLCAJI4/NyLpLueZSBzUXO69lVdZU8+nLpxO+opnbZNxqddyzNnbCO1Uk2Da3ljExkqnLIxT2zs90JAhZvJ5ljIgCipq7ZEp7zHOpvTH9fBGoZJJWhgdddOrHZsLDE9mILjlvBHDhPQrYcMHtY6oLIbxJq92it82iBJv0fS7v1S/o0p4hAtfky+6hXCZWSKUJHr88NDrKe2EEK3mazD2QD5Ozf/w=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
</configuration>
Accessing Decrypted Configuration Settings
It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code. Isn't that interesting?
string ConnString = ConfigurationManager.ConnectionStrings[1].ToString();
Decrypting the Connection String
Is it possible to decrypt my Web.Config so that I can read it in original format?
Yes, it is possible.
Simply perform the following command to decrypt the connectionStrings
element in the Web.config file.
ASPNET_REGIIS -pdf "connectionStrings" "D:\Articles\EncryptWebConfig"
Note: The parameter "connectionStrings
" is case sensitive.
Questions and Answers
1. You might ask me a question if Web.Config file can be encrypted and decrypted using ASPNET_REGIIS
then anyone who has access to Web.Config file can decrypt the content, right?
To answer this question, I would say no, if you encrypt your Config file, then your machine would store your keys and if you copy the Config file to a different system and try to decrypt it, then you might get an error.
Pros
- Web.Config sensitive information is not in a readable condition (after encryption)
- You don't have to explicitly write code to decrypt the Web.Config file as ASP.NET automatically decrypts the configuration and processes your request
Cons
- You can't modify the encrypted content on the fly. It requires you to decrypt the content before editing.
Points of Interest
Web.Config encryption only takes a couple moments and provides much more security than a clear-text file. It may not be enough to thwart a hacker that has full access to your entire server.
I'm encrypting all my sensitive data stored in Web.Config after learning the concept of encryption. How about you?
【转】Encrypt ConnectionString in Web.Config 【加密ASP.NET web.config数据库链接字串】的更多相关文章
- ASP.NET Web API和ASP.NET Web MVC中使用Ninject
ASP.NET Web API和ASP.NET Web MVC中使用Ninject 先附上源码下载地址 一.准备工作 1.新建一个名为MvcDemo的空解决方案 2.新建一个名为MvcDemo.Web ...
- 【翻译】使用Knockout, Web API 和 ASP.Net Web Forms 进行简单数据绑定
原文地址:http://www.dotnetjalps.com/2013/05/Simple-data-binding-with-Knockout-Web-API-and-ASP-Net-Web-Fo ...
- Knockout, Web API 和 ASP.Net Web Forms 进行简单数据绑定
使用Knockout, Web API 和 ASP.Net Web Forms 进行简单数据绑定 原文地址:http://www.dotnetjalps.com/2013/05/Simple-da ...
- App.config使用ASP.NET Web Project的Transformation
1.创建对应configuration的App.config文件,比如:App.Debug.config.App.Release.config. 2.编辑项目文件,将App.*.config文件的Bu ...
- [转] JSON Web Token in ASP.NET Web API 2 using Owin
本文转自:http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/ ...
- JSON Web Token in ASP.NET Web API 2 using Owin
In the previous post Decouple OWIN Authorization Server from Resource Server we saw how we can separ ...
- 在ASP.NET Web API和ASP.NET Web MVC中使用Ninject
先附上源码下载地址 一.准备工作 1.新建一个名为MvcDemo的空解决方案 2.新建一个名为MvcDemo.WebUI的空MVC应用程序 3.使用NuGet安装Ninject库 二.在ASP.N ...
- 【Web API2】ASP.NET Web API Security
实现安全的方式既可以是host提供,也可以框架提供. 1,HTTP Module 方式,工作在IIS上,所以web api要托管在IIS上才行.其作用于HTTP管道的最前端,所以这种方式影响的是全局, ...
- Web API 2 入门——使用Web API与ASP.NET Web窗体(谷歌翻译)
在这篇文章中 概观 创建Web窗体项目 创建模型和控制器 添加路由信息 添加客户端AJAX 作者:Mike Wasson 虽然ASP.NET Web API与ASP.NET MVC打包在一起,但很容易 ...
随机推荐
- Strings in the Pocket(马拉车+字符串判断)
题目:http://acm.zju.edu.cn/onlinejudge/showProblem.do?problemId=6012 BaoBao has just found two strings ...
- iOS通过dSYM文件分析crash
重点是dwarfdump --uuid命令 我们在iOS开发中会碰到的很多crash问题,如果Debug调试模式的话,我们可以往往很容易的根据log的输出定位到导致crash的原因,但对于已经上线的应 ...
- Logstash 性能及其替代方案
介绍 当谈及集中日志到 Elasticsearch 时,首先想到的日志传输(log shipper)就是 Logstash.开发者听说过它,但是不太清楚它具体是干什么事情的: 当深入这个话题时,我们才 ...
- acedSSGet使用自定义提示字符:$模式
ads_name ss; struct resbuf *pRbList=NULL; pRbList=acutBuildList(RTDXF0,_T("lwpolyline,ins ...
- Oracle数据库中日期/数字和字符之间的转换和计算
--查出当前系统时间 select SYSDATE from table; --格式转换 -- TO_CHAR 把日期或数字转换为字符串 -- TO_CHAR(number, '格式') -- TO_ ...
- POJ1475 Pushing Boxes(双搜索)
POJ1475 Pushing Boxes 推箱子,#表示墙,B表示箱子的起点,T表示箱子的目标位置,S表示人的起点 本题没有 Special Judge,多解时,先最小化箱子被推动的次数,再最小化 ...
- 手动博客重定向 https://www.cnblogs.com/kelthuzadx/
https://www.cnblogs.com/kelthuzadx/ 博客狂魔又㕛叒换地址了
- 虚拟立方体调用非共享维度的时候需要指定cubeName,否则Schema无效
但是,即使把非共享维度放上去,会出现一种情况. 一旦放入资产负债的非公共维度进去后,报表的度量值只能出现资产负债的度量值,不能出现损益的度量值了!
- weex 编译vue成js
cd 项目 1.开发 npm run web 开发过程中可以直接使用浏览器运行 npm run ios 2.打包 npm run build 会在 dist 文件夹 中生成js文件, 即可拖入ios ...
- 项目Alpha冲刺 6
作业描述 课程: 软件工程1916|W(福州大学) 作业要求: 项目Alpha冲刺(团队) 团队名称: 火鸡堂 作业目标: 介绍第6天冲刺的项目进展.问题困难和心得体会 1.团队信息 队名:火鸡堂 队 ...