How do I keep ASP.net connection string passwords secure on a git repository?

Question

Up until now I have been using gitignore to ignore my web.congfig and web.release.config files so that my connections strings (including passwords) do not get stored in the git repository.

This has been fine with changes to the web.config being passed around on encrypted removable media.

BUT I have just started to look at using continuous integration and storing my code on Visual Studio Team Services. For this to work (unless you can suggest a fix) I must have the web.config included as part of the project.

I am hosting the application on a windows server (in-house) with MSSQL DB and a connection to an Oracle DB on different server.

I'm not the most advanced developer but holding my own so far. All support greatly welcomed.

Answer 1

You can achieve that by moving your connection string details to external configuration file. Say you move your connection string to connections.config file

<connectionStrings>  
  <add name="Name"   
   providerName="System.Data.ProviderName"   
   connectionString="Valid Connection String;" />  
</connectionStrings> 

Now in web config you can reference this file for connection string as

<?xml version='1.0' encoding='utf-8'?>  
<configuration>  
    <connectionStrings configSource="connections.config"/>  
</configuration>   

More detail about external configuration file

After that you can list your connections.config file in gitignore file

Then push to your git repo.

But make sure that your readme file contains necessary settings to apply to make your app working for other developer. As you have moved your connection details to another file other may not be familiar with that approach and may cause some issue.