Encrypt ConnectionString in entity framework (first code)

Question

How can i protect my connection string? I want to use Entity framework 4.1 (first code) in C#, but it is important to me that other people can not see my Connection String.

Answer 1

There is no difference between using EF or any other ORM, you can use the standard way of encrypting connectionstring and decrypting it before calling the initialization of EF Context will happen automagically.

• Encrypting and Decrypting Configuration Sections
• Programmatically Encrypt and Decrypt Configuration Sections in web.config using ASP.NET
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
• How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

Answer 2

You can arrest calls to the connection string from the Context Class (DBContext or IdentityDbContext if using ASPNET Identity) and modify the connection string returned. In my case, instead of encrypting the entire connection string, I chose to encrypt just the password. You can use the same approach to encrypt the entire connection string.

Note: The function (StringCipher.Decrypt) used to encrypt and decrypt came from this thread -> https://stackoverflow.com/a/1344255/1390025

Here is where you arrest the call to the connection string

        public YourDB()
        : base(GetSqlConnection("DefaultConnection"))
    {}

In the above scenario I'm getting the connection string from app.config or web.config. However, as per your request, you can encrypt the entire connection string and like the example below;

public YourDB()
        : base(StringCipher.Decrypt("your-encrypted-connection-string", "passphrase-used-to-encrypt"))
    {}

In the scenario where only the password is encrypted, the function below replaces the encrypted password with plain text and returns the connection string;

        public static string GetSqlConnection(string connectionStringName = "DefaultConnection")
    {
        // optionally defaults to "DefaultConnection" if no connection string name is inputted
        string connectionString = ConfigurationManager.ConnectionStrings[connectionStringName].ConnectionString;
        string passPhrase = "passphrase-used-to-encrypt";
        // decrypt password
        string password = get_prase_after_word(connectionString, "password=", ";");
        connectionString = connectionString.Replace(password, StringCipher.Decrypt(password, passPhrase));
        return connectionString;
    }

The function used to parse the password from the connection string

        public static string get_prase_after_word(string search_string_in, string word_before_in, string word_after_in)
    {
        int myStartPos = 0;
        string myWorkString = "";

        // get position where phrase "word_before_in" ends

        if (!string.IsNullOrEmpty(word_before_in))
        {
            myStartPos = search_string_in.ToLower().IndexOf(word_before_in) + word_before_in.Length;

            // extract remaining text
            myWorkString = search_string_in.Substring(myStartPos, search_string_in.Length - myStartPos).Trim();

            if (!string.IsNullOrEmpty(word_after_in))
            {
                // get position where phrase starts in the working string
                myWorkString = myWorkString.Substring(0, myWorkString.IndexOf(word_after_in)).Trim();

            }
        }
        else
        {
            myWorkString = string.Empty;
        }
        return myWorkString.Trim();
    }

Answer 3

You can use the same tool that you can use for asp.net applications.

Make sure to have a backup before you do the following!

1. Look here: 'C:\Windows\Microsoft.NET\Framework' for your version or just the newest.
2. Open the folder of your version
3. Search for 'aspnet_regiis'
4. Right-click it and select properties then copy the path of the location
5. Now rename the 'app.config' file in your project to 'web.config' (you can do that in visual studio)
6. Open the command prompt
7. Type in '\aspnet_regiis -pef "connectionStrings" '
8. Press enter
9. It should give you something like 'Successfully encrypted' or so
10. Now you can rename your 'web.config' file back to 'app.config'

Now you can look into the app.config and see that the connection string is encrypted.