Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Connection String Encryption , whats the idea?

Tags:

c#

.net

asp.net

If I am encrypting the connection string section, anyone who has the web.config can reDecrypt the information.

There is no password key which is known only to me or something similar....

What's the idea here?? Anyone who will have that web.config with VS, will be able to decipher the info...

I dont get the idea...

like image 891
Royi Namir Avatar asked Jul 23 '11 14:07

Royi Namir

People also ask

Should you encrypt connection strings?

It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.

Why do we need to use connection string?

Applications use connection strings to identify the server instance and database to connect to and to determine what driver, login, etc. to use to connect to the SQL Server instance. Typically, the connection string will be stored in a configuration file somewhere within the application or web server.

How do you read a connection string?

To read the connection string from code, use the ConfigurationSettings class. string connStr = ConfigurationSettings. AppSettings("myConnectionString");

What is connection string providerName?

The providerName attribute is used to set the name of the .NET Framework data provider that the DataSource control uses to connect to an underlying data source. If no provider is set, the default is the ADO.NET provider for Microsoft SQL Server.

2 Answers

You wrongly assume that anyone can decrypt the web.config. Once the config file section is encrypted, it can only be decrypted on the same machine (or the machine that has got the same key - this is for web farming).

Usually, it is fairly easy to download the actual web.config remotely (through vulnerabilities). But the malicious user will not have your key and will not be able to decrypt the file (or sections with sensitive data).

The point here is you have got to trust your site hoster, that is the sensitive key will not be distributed.

like image 119
oleksii Avatar answered Sep 21 '22 04:09

oleksii

You can specify the encryption provider, but the default is the RSA provider. There is a key used, but it is 'secret'. So someone would need a privileges to run applications on your server, or unrestricted access to the file system in order to unencrypt your web.config.

This (especially step 2) talks about it:

http://msdn2.microsoft.com/en-us/library/ms998283.aspx

like image 36
hatchet - done with SOverflow Avatar answered Sep 21 '22 04:09

hatchet - done with SOverflow
Sign in to Comment

Related questions

are C# int? and bool?s always boxed when hasvalue = true?
How do I determine if System.Type is a custom type or a Framework type?
Namespaces in C# vs imports in Java and Python
trouble invoking static method using reflection and c#
protobuf.net Unexpected subtype
PID controller integral term causing extreme instability
How to connect and use Firebird db embedded server with Visual C# 2010
How to include multiple source files in C#
Error while writing to event log, prevents windows service from starting?
Field xxx is never assigned to, and will always have its default value null
Return different instances for each call using rhino mocks
Is there any way to bind a checkbox list to a model in asp.net mvc
Calling the WriteableBitmap.WritePixels method
When is the class constructor called while deserialising using XmlSerializer.Deserialize?
Using C# & Powerpoint OpenXML, is it possible to change the font size and color of text
HtmlAgilityPack: how to create indented HTML?
Update XAttribute Value where XAttribute Name = X
Get DisplayName from resource file [duplicate]
Is it always a bad practice to catch System.Exception?
Sql Server CLR load assembly failed

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!