Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I keep ASP.net connection string passwords secure on a git repository?

Up until now I have been using gitignore to ignore my web.congfig and web.release.config files so that my connections strings (including passwords) do not get stored in the git repository.

This has been fine with changes to the web.config being passed around on encrypted removable media.

BUT I have just started to look at using continuous integration and storing my code on Visual Studio Team Services. For this to work (unless you can suggest a fix) I must have the web.config included as part of the project.

I am hosting the application on a windows server (in-house) with MSSQL DB and a connection to an Oracle DB on different server.

I'm not the most advanced developer but holding my own so far. All support greatly welcomed.

like image 686
KELF Avatar asked Aug 14 '17 15:08

KELF


People also ask

How do you secure connection strings in ASP NET?

The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.

Where do we store connection string in ASP?

Connection strings can be stored as key/value pairs in the connectionStrings section of the configuration element of an application configuration file.

How does .NET core store sensitive data?

The idea is simple: All the base configuration should be placed on the appsettings. json file. Then, you can add environment-specific configuration by creating additional configuration files where the name of each file contains the environment name they belong to, i.e. appsettings. development.


1 Answers

You can achieve that by moving your connection string details to external configuration file. Say you move your connection string to connections.config file

<connectionStrings>  
  <add name="Name"   
   providerName="System.Data.ProviderName"   
   connectionString="Valid Connection String;" />  
</connectionStrings> 

Now in web config you can reference this file for connection string as

<?xml version='1.0' encoding='utf-8'?>  
<configuration>  
    <connectionStrings configSource="connections.config"/>  
</configuration>   

More detail about external configuration file

After that you can list your connections.config file in gitignore file

Then push to your git repo.

But make sure that your readme file contains necessary settings to apply to make your app working for other developer. As you have moved your connection details to another file other may not be familiar with that approach and may cause some issue.

like image 107
Bhuban Shrestha Avatar answered Oct 06 '22 21:10

Bhuban Shrestha