How to protect your Connection string

How to protect your Connection string using custom Encryption method.

Download the file

Introduction

This article covers how to encrypt a connection string and other variables that stored in a web.config. One benefit of this technique it is not machine dependent. The developer has 100% complete control over the encryption method which can be a set of values only they know. For added protection, the logic is compiled into a DLL and deployed with your ASP.NET application.

I would like to credit the article on 15seconds by Wayne Plourde for providing the core logic for doing TripleDES and DES encryption. Here is the link to the article. http://www.15seconds.com/issue/021210.htm The article is very straight forward and does a good job describing the .NET encryption features.

Requirements

.NET 1.1 or greater
Windows XP, 2000/2003 running .NET framework
Visual Studio 2003 (optional)

Steps to add to your web application

Encrypt your connection string using the ‘EncryptionWeb’ or visit http://aspdot.net/aspnet/encryptionweb.aspx
Copy the encrypted text to your web.config
Download and make a reference to the ‘CryptoUtils.dll’ in your web application
Add a method to your web application to ‘Decrypt’ your connection string

Encrypt your connection string

We provide in the downloadable file a web project called ‘EncryptionWeb’. This project can be used to Encrypt the information that will be stored in the Web.config.

The Results section contains the text that would be placed in the web.config.

Copy the encrypted text to your web.config

This is the web.config from the ‘EncryptionSample web’ to show how to use inside a web application.

Web.config

<?xml version=”1.0″ encoding=”utf-8″ ?>
<configuration>
    <appSettings>
        <add key=”ConnString” value=”222yTyHaYr/QJQqzGKpnyUi0+qLJYWhj9naRmHmNsphF/v+ihT8CHfR2amwc+d9qebOPScsKLZI=”></add>
      </appSettings>
</configuration>

Download and make a reference to the CryptoUtils.dll

Included in the downloadable file is a DLL called ‘CryptoUtils.dll’, you need to make a reference in your web application. Just copy the DLL into your ‘/bin’ folder and make a reference inside Visual Studio.

Add a method to Decrypt your connection string

After you have encrypted the connection string, you will need a way to decrypt and use in your application. This is easy and only takes a couple of lines of code in a “Decrypt” method.   We included a button Click event show how to decrypt the “ConnString” value that is contained in your web.config.   The complete sample is included in the ‘EncryptionWeb’ application.

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim objDecrypt As New CryptoUtils.CUtils
        Label1.Text = objDecrypt.DecryptTripleDES(ConfigurationSettings.AppSettings(“ConnString”))
End Sub

Conclusion

This technique I found to be effective in providing an additional layer of security and not having my connection string and other variables displayed in ‘clear text’. Hope you found this article useful and happy coding!

Powered by

HOME

HELP

PURCHASE

QUICK INSTALL HELP

PER DIRECTORY FEATURE

DOWNLOADS

Windows Service Version Guide

Stand-Alone EXE Guide

IISLogs Overview

Side-by-Side comparison of IISLogs

100% Money Back Guarantee

Get answers to your most asked questions