Web applications use connection strings to connect to databases with certain credentials and other configuration. For example: a connection string can tell your web application to connect to X database at ServerA by using Z username and Y password.
The connection strings are mostly stored in web.config. It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.
You can use ASP.NET IIS Registration Tool (aspnet_regiis.exe) to encrypt and decrypt your connections strings. There are two scenarios to consider:
Use the steps below for encryption and decryption when there is only one IIS server. The method below uses the default key provider
ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
ASPNET_REGIIS -pdf "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
Here is the related documentation: Encrypting and Decrypting Configuration Sections
The method above won’t work for web farms because IIS servers won’t be able to decrypt the connection string encrypted by each other. You need to create and use an RSA key along with the RSA key provider so all servers can have the same key for decryption.
High-level steps (Reference:(
aspnet_regiis -pc "MyKeys" -exp
aspnet_regiis -pa "MyKeys" "IIS AppPool\ApplicationPoolName" -full
<configuration> <configProtectedData> <providers> <add name="MyProvider" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL" keyContainerName="MyKeys" useMachineContainer="true" /> </providers> </configProtectedData> </configuration>
aspnet_regiis -pe "connectionStrings" -app "/MyApplication" -prov "MyProvider"
ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder" -prov "MyProvider"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.