Home
%3CLINGO-SUB%20id%3D%22lingo-sub-830094%22%20slang%3D%22en-US%22%3EConnection%20string%20encryption%20and%20decryption%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-830094%22%20slang%3D%22en-US%22%3E%3CP%3EWeb%20applications%20use%20connection%20strings%20to%20connect%20to%20databases%20with%20certain%20credentials%20and%20other%20configuration.%20For%20example%3A%20a%20connection%20string%20can%20tell%20your%20web%20application%20to%20connect%20to%26nbsp%3B%3CSTRONG%3EX%3C%2FSTRONG%3E%26nbsp%3Bdatabase%20at%26nbsp%3B%3CSTRONG%3EServerA%20%3C%2FSTRONG%3Eby%20using%26nbsp%3B%3CSTRONG%3EZ%3C%2FSTRONG%3E%26nbsp%3Busername%20and%26nbsp%3B%3CSTRONG%3EY%3C%2FSTRONG%3E%26nbsp%3Bpassword.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20connection%20strings%20are%20mostly%20stored%20in%20web.config.%20It%20means%20that%20connection%20specific%20information%20such%20as%20database%20name%2C%20username%2C%20and%20password%20are%20stored%20as%20a%20clear%20text%20in%20a%20file.%20This%20is%20definitely%20a%20security%20concern%20for%20your%20Production%20servers.%20This%20is%20why%20the%20connection%20strings%20should%20be%20encrypted.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fk6h9cz8h(v%3Dvs.100)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EASP.NET%20IIS%20Registration%20Tool%3C%2FA%3E%26nbsp%3B(aspnet_regiis.exe)%20to%20encrypt%20and%20decrypt%20your%20connections%20strings.%20There%20are%20two%20scenarios%20to%20consider%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EEncryption%2Fdecryption%20for%20a%20Single%20Server%3C%2FLI%3E%0A%3CLI%3EEncryption%2Fdecryption%20for%20a%20Web%20Farm%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId-1622613401%22%20id%3D%22toc-hId-1622613401%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--929543560%22%20id%3D%22toc-hId--929543560%22%3ESingle%20server%3C%2FH3%3E%0A%3CP%3EUse%20the%20steps%20below%20for%20encryption%20and%20decryption%20when%20there%20is%20only%20one%20IIS%20server.%20The%20method%20below%20uses%20the%20default%20key%20provider%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ERun%20Command%20Prompt%20as%20Administrator%3C%2FLI%3E%0A%3CLI%3EGo%20to%3CCODE%3EC%3A%5CWindows%5CMicrosoft.NET%5CFramework%5Cv4.0.30319%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EPerform%20the%20command%20below%20to%20encrypt%20the%20connection%20string%20in%20your%20web.config%3A%3CBR%20%2F%3E%3CCODE%3EASPNET_REGIIS%20-pef%20%22connectionStrings%22%20%22D%3A%5Cinetpub%5Cwwwroot%5CapplicationFolder%22%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EOpen%20web.config%20and%20check%20if%20the%20connection%20string%20is%20encrypted%3C%2FLI%3E%0A%3CLI%3ETest%20the%20site%3C%2FLI%3E%0A%3CLI%3EIf%20you%20want%20to%20decrypt%20it%20back%2C%20run%20this%20command%3A%3CBR%20%2F%3E%3CCODE%3EASPNET_REGIIS%20-pdf%20%22connectionStrings%22%20%22D%3A%5Cinetpub%5Cwwwroot%5CapplicationFolder%22%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20web.config%20and%20check%20if%20the%20connection%20string%20is%20decrypted%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EHere%20is%20the%20related%20documentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-ca%2Fprevious-versions%2Faspnet%2Fzhhddkxy(v%3Dvs.100)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEncrypting%20and%20Decrypting%20Configuration%20Sections%3C%2FA%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-813266775%22%20id%3D%22toc-hId-813266775%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20774px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F129240i97426DA0AC8A1EE2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%221.jpg%22%20title%3D%221.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1738890186%22%20id%3D%22toc-hId--1738890186%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-3920149%22%20id%3D%22toc-hId-3920149%22%3EWeb%20Farms%3C%2FH3%3E%0A%3CP%3EThe%20method%20above%20won%E2%80%99t%20work%20for%20web%20farms%20because%20IIS%20servers%20won%E2%80%99t%20be%20able%20to%20decrypt%20the%20connection%20string%20encrypted%20by%20each%20other.%20You%20need%20to%20create%20and%20use%20an%26nbsp%3B%3CSTRONG%3ERSA%20key%20%3C%2FSTRONG%3Ealong%20with%20the%26nbsp%3B%3CSTRONG%3ERSA%20key%20provider%3C%2FSTRONG%3E%26nbsp%3Bso%20all%20servers%20can%20have%20the%20same%20key%20for%20decryption.%3C%2FP%3E%0A%3CP%3EHigh-level%20steps%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-ca%2Fprevious-versions%2Faspnet%2F2w117ede(v%3Dvs.100)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EReference%3C%2FA%3E%3A(%3C%2Fimg%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20an%20RSA%20key%3A%3CBR%20%2F%3E%3CCODE%3Easpnet_regiis%20-pc%20%22MyKeys%22%20-exp%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EGrant%20access%20to%20the%20application%20pool%20identity%20for%20this%20key%3A%3CBR%20%2F%3E%3CCODE%3Easpnet_regiis%20-pa%20%22MyKeys%22%20%22IIS%20AppPool%5CApplicationPoolName%22%20-full%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EAdd%20RSA%20provider%20to%20your%20web.config%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%3CCONFIGURATION%3E%0A%20%20%20%3CCONFIGPROTECTEDDATA%3E%0A%20%20%20%20%20%20%3CPROVIDERS%3E%0A%20%20%20%20%20%20%20%20%20%3CADD%20name%3D%22MyProvider%22%20type%3D%22System.Configuration.RsaProtectedConfigurationProvider%2C%20System.Configuration%2C%20Version%3D2.0.0.0%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Culture%3Dneutral%2C%20PublicKeyToken%3Db03f5f7f11d50a3a%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20processorArchitecture%3DMSIL%22%20keycontainername%3D%22MyKeys%22%20usemachinecontainer%3D%22true%22%3E%3C%2FADD%3E%0A%20%20%20%20%20%20%3C%2FPROVIDERS%3E%0A%20%20%20%3C%2FCONFIGPROTECTEDDATA%3E%0A%3C%2FCONFIGURATION%3E%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEncrypt%20the%20web.config%20by%20using%20RSA%20provider%3A%3CBR%20%2F%3E%3CCODE%3Easpnet_regiis%20-pe%20%22connectionStrings%22%20-app%20%22%2FMyApplication%22%20-prov%20%22MyProvider%22%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3ENote%3A%20You%20can%20use%20an%20alternative%20syntax%20like%20the%20one%20we%20used%20for%20a%20single-server%20scenario.%20Example%3A%3CBR%20%2F%3E%3CCODE%3EASPNET_REGIIS%20-pef%20%22connectionStrings%22%20%22D%3A%5Cinetpub%5Cwwwroot%5CapplicationFolder%22%20-prov%20%22MyProvider%22%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EGo%20to%20your%20web.config%20and%20confirm%20if%20the%20connection%20string%20is%20encrypted%3C%2FLI%3E%0A%3CLI%3ETest%20the%20site%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CFORM%3E%0A%3CUL%3E%0A%3CLI%3EExport%20the%20RSA%20key%3A%3CBR%20%2F%3E%3CCODE%3Easpnet_regiis%20-px%20%22MyKeys%22%20%22c%3A%5Ckeys.xml%22%20-pri%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3ECopy%20this%20file%20to%20the%20second%20server%20in%20your%20web%20farm%3C%2FLI%3E%0A%3CLI%3EImport%20it%20in%20that%20server%3A%3CBR%20%2F%3E%3CCODE%3Easpnet_regiis%20-pi%20%22MyKeys%22%20%22c%3A%5Ckeys.xml%22%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EGrant%20access%20to%20this%20key%20(same%20as%20how%20we%20did%20before)%3C%2FLI%3E%0A%3CLI%3ETest%20the%20application%20in%20the%20second%20server%3C%2FLI%3E%0A%3CLI%3EOnce%20confirming%20that%20everything%20works%2C%20remove%20%3CCODE%3Ec%3A%5Ckeys.xml%3C%2FCODE%3E%20file%20from%20all%20servers%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FFORM%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-830094%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EThe%20connection%20strings%20are%20mostly%20stored%20in%20web.config.%20It%20means%20that%20connection%20specific%20information%20such%20as%20database%20name%2C%20username%2C%20and%20password%20are%20stored%20as%20a%20clear%20text%20in%20a%20file.%20This%20is%20definitely%20a%20security%20concern%20for%20your%20Production%20servers.%20This%20is%20why%20the%20connection%20strings%20should%20be%20encrypted.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Web applications use connection strings to connect to databases with certain credentials and other configuration. For example: a connection string can tell your web application to connect to X database at ServerA by using Z username and Y password.

 

The connection strings are mostly stored in web.config. It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.

 

You can use ASP.NET IIS Registration Tool (aspnet_regiis.exe) to encrypt and decrypt your connections strings. There are two scenarios to consider:

  1. Encryption/decryption for a Single Server
  2. Encryption/decryption for a Web Farm

 

Single server

Use the steps below for encryption and decryption when there is only one IIS server. The method below uses the default key provider

  1. Run Command Prompt as Administrator
  2. Go to C:\Windows\Microsoft.NET\Framework\v4.0.30319
  3. Perform the command below to encrypt the connection string in your web.config:
    ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
  4. Open web.config and check if the connection string is encrypted
  5. Test the site
  6. If you want to decrypt it back, run this command:
    ASPNET_REGIIS -pdf "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
  7. Open the web.config and check if the connection string is decrypted

Here is the related documentation: Encrypting and Decrypting Configuration Sections

1.jpg

 

Web Farms

The method above won’t work for web farms because IIS servers won’t be able to decrypt the connection string encrypted by each other. You need to create and use an RSA key along with the RSA key provider so all servers can have the same key for decryption.

High-level steps (Reference:(

  • Create an RSA key:
    aspnet_regiis -pc "MyKeys" -exp
  • Grant access to the application pool identity for this key:
    aspnet_regiis -pa "MyKeys" "IIS AppPool\ApplicationPoolName" -full
  • Add RSA provider to your web.config:

 

<configuration>
   <configProtectedData>
      <providers>
         <add name="MyProvider"
              type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
                    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
                    processorArchitecture=MSIL"
              keyContainerName="MyKeys" 
              useMachineContainer="true" />
      </providers>
   </configProtectedData>
</configuration>

 

  • Encrypt the web.config by using RSA provider:
    aspnet_regiis -pe "connectionStrings" -app "/MyApplication" -prov "MyProvider"
  • Note: You can use an alternative syntax like the one we used for a single-server scenario. Example:
    ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder" -prov "MyProvider"
  • Go to your web.config and confirm if the connection string is encrypted
  • Test the site
  • Export the RSA key:
    aspnet_regiis -px "MyKeys" "c:\keys.xml" -pri
  • Copy this file to the second server in your web farm
  • Import it in that server:
    aspnet_regiis -pi "MyKeys" "c:\keys.xml"
  • Grant access to this key (same as how we did before)
  • Test the application in the second server
  • Once confirming that everything works, remove c:\keys.xml file from all servers