Blog Post

IIS Support Blog
3 MIN READ

Connection string encryption and decryption

Nedim's avatar
Nedim
Icon for Microsoft rankMicrosoft
Aug 29, 2019

Web applications use connection strings to connect to databases with certain credentials and other configuration. For example: a connection string can tell your web application to connect to X database at ServerA by using Z username and Y password.

 

The connection strings are mostly stored in web.config. It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.

 

You can use ASP.NET IIS Registration Tool (aspnet_regiis.exe) to encrypt and decrypt your connections strings. There are two scenarios to consider:

  1. Encryption/decryption for a Single Server
  2. Encryption/decryption for a Web Farm

 

Single server

Use the steps below for encryption and decryption when there is only one IIS server. The method below uses the default key provider

  1. Run Command Prompt as Administrator
  2. Go to C:\Windows\Microsoft.NET\Framework\v4.0.30319
  3. Perform the command below to encrypt the connection string in your web.config:
    ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
  4. Open web.config and check if the connection string is encrypted
  5. Test the site
  6. If you want to decrypt it back, run this command:
    ASPNET_REGIIS -pdf "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
  7. Open the web.config and check if the connection string is decrypted

Here is the related documentation: Encrypting and Decrypting Configuration Sections

 

Web Farms

The method above won’t work for web farms because IIS servers won’t be able to decrypt the connection string encrypted by each other. You need to create and use an RSA key along with the RSA key provider so all servers can have the same key for decryption.

High-level steps (Reference)

  • Create an RSA key:
    aspnet_regiis -pc "MyKeys" -exp
  • Grant access to the application pool identity for this key:
    aspnet_regiis -pa "MyKeys" "IIS AppPool\ApplicationPoolName" -full
  • Add RSA provider to your web.config:

 

 

<configuration>
   <configProtectedData>
      <providers>
         <add name="MyProvider"
              type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
                    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
                    processorArchitecture=MSIL"
              keyContainerName="MyKeys" 
              useMachineContainer="true" />
      </providers>
   </configProtectedData>
</configuration>

 

 

  • Encrypt the web.config by using RSA provider:
    aspnet_regiis -pe "connectionStrings" -app "/MyApplication" -prov "MyProvider"
  • Note: You can use an alternative syntax like the one we used for a single-server scenario. Example:
    ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder" -prov "MyProvider"
  • Go to your web.config and confirm if the connection string is encrypted
  • Test the site
  • Export the RSA key:
    aspnet_regiis -px "MyKeys" "c:\keys.xml" -pri
  • Copy this file to the second server in your web farm
  • Import it in that server:
    aspnet_regiis -pi "MyKeys" "c:\keys.xml"
  • Grant access to this key (same as how we did before)
  • Test the application in the second server
  • Once confirming that everything works, remove c:\keys.xml file from all servers
Updated Sep 27, 2024
Version 3.0
  • Alex Mondale's avatar
    Alex Mondale
    Copper Contributor
    Feb 10, 2022

    I wrote a routine to Encrypt/Decrypt web.config that doesn't need machine access (I assume that ASPNET_REGIIS would need such access, not available, for example, in Azure Web Services). Here is the code. I do believe such code could be run on each server in a farm giving each server access to the encrypted web.config (per web application) without having to pass around a shared secret (XML file) or use RSA (ASPNET_REGIIS):

     

          protected void Encrypt_Click(object sender, EventArgs e)
        {
            // Get configuration information about Web.config
            Configuration config =
                WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
            // Let's work with the <connectionStrings> section
            ConfigurationSection connectionStrings = config.GetSection("connectionStrings");
            if (connectionStrings != null)
                // Only encrypt the section if it is not already protected
                if (!connectionStrings.SectionInformation.IsProtected)
                {
                    // Encrypt the <connectionStrings> section using the 
                    // DataProtectionConfigurationProvider provider
                    connectionStrings.SectionInformation.ProtectSection(
                        "DataProtectionConfigurationProvider");
                    config.Save();

                    // Refresh the Web.config display
                    DisplayWebConfig();
                }
        }
  • Arti_S995's avatar
    Arti_S995
    Copper Contributor
    Nov 04, 2022

    Hi, can you please tell decryption steps for the Web Farms(using RSA Key)