What is the best practice for storing database connection details in .NET?

Question

This might be a duplicate (question) but I am looking specifically for the .NET best practice.

How to store database connection strings, username and password etc. in a safe way? Is an encrypted app.config best in most cases?

I would also like to be able to set the password in the config file and then have it encrypted as soon as the application starts. (I am not asking for a solution as I have solved this before, I'm just looking for best practise(s)).

I'm also interested in alternative solutions that you have good experiences with.

Answer 1

I think the best practice is to use integrated security if possible, for 2 reasons... It is the easiest solution to manage and it is the easiest solution to get right.

If for some reason you can't use integrated security and you have to use username and password encrypt them using something like the Enterprise Library's Config Manager to encrypt sections of your web.config.

Answer 2

There are several things that we should know about protecting connection strings: http://msdn.microsoft.com/en-us/library/89211k9b.aspx

In my view the best way to store them (the one that combines flexibility and security) is "Encrypting Configuration File Sections Using Protected Configuration": http://msdn.microsoft.com/en-us/library/ms254494.aspx

Answer 3

That would be web.config. You can encrypt the connection string if secrity is a concern.