Web applications use connection strings to connect to databases with certain credentials and other configuration. For example: a connection string can tell your web application to connect to X database at ServerA by using Z username and Y password.
The connection strings are mostly stored in web.config. It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.
You can use ASP.NET IIS Registration Tool (aspnet_regiis.exe) to encrypt and decrypt your connections strings. There are two scenarios to consider:
- Encryption/decryption for a Single Server
- Encryption/decryption for a Web Farm
Single server
Use the steps below for encryption and decryption when there is only one IIS server. The method below uses the default key provider
- Run Command Prompt as Administrator
- Go to
C:\Windows\Microsoft.NET\Framework\v4.0.30319
- Perform the command below to encrypt the connection string in your web.config:
ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
- Open web.config and check if the connection string is encrypted
- Test the site
- If you want to decrypt it back, run this command:
ASPNET_REGIIS -pdf "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
- Open the web.config and check if the connection string is decrypted
Here is the related documentation: Encrypting and Decrypting Configuration Sections
Web Farms
The method above won’t work for web farms because IIS servers won’t be able to decrypt the connection string encrypted by each other. You need to create and use an RSA key along with the RSA key provider so all servers can have the same key for decryption.
High-level steps (Reference)
- Create an RSA key:
aspnet_regiis -pc "MyKeys" -exp
- Grant access to the application pool identity for this key:
aspnet_regiis -pa "MyKeys" "IIS AppPool\ApplicationPoolName" -full
- Add RSA provider to your web.config:
<configuration>
<configProtectedData>
<providers>
<add name="MyProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
keyContainerName="MyKeys"
useMachineContainer="true" />
</providers>
</configProtectedData>
</configuration>
- Encrypt the web.config by using RSA provider:
aspnet_regiis -pe "connectionStrings" -app "/MyApplication" -prov "MyProvider"
- Note: You can use an alternative syntax like the one we used for a single-server scenario. Example:
ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder" -prov "MyProvider"
- Go to your web.config and confirm if the connection string is encrypted
- Test the site