Click here to Skip to main content
15,906,341 members
Search within:


Articles / Programming Languages / C#
 
Article

Encrypt and Decrypt ConnectionString in app.config and/or web.config!

Rate me:
Please Sign up or sign in to vote.
4.68/5 (32 votes)
8 Sep 2007CPOL 200.1K   4.7K   63   22
Encrypt and Decrypt ConnectionString in app.config and/or web.config!

Introduction

In Windows/Web based applications, it's not rational for you to put your ConnectionString in the native/normal format! This is because anybody can see your userID/username and password!.

In this article, I want to teach you how to encrypt ConnectionString and decrypt it as you wish.

Background

This feature was born in .NET Framework 2.0 (Visual Studio 2005).

Using the Code

First of all, we suggest you to create a static class with the name Utilities and put the below functions in it. After all, you can call just two functions for encryption and decryption of your connection string.

C#
namespace DT.Security
{
    public static class Utilities
    {
        public static void ProtectConnectionString()
        {
            ToggleConnectionStringProtection
		(System.Windows.Forms.Application.ExecutablePath, true);
        }

        public static void UnprotectConnectionString()
        {
            ToggleConnectionStringProtection
		(System.Windows.Forms.Application.ExecutablePath, false);
        }

        private static void ToggleConnectionStringProtection
				(string pathName, bool protect)
        {
            // Define the Dpapi provider name.
            string strProvider = "DataProtectionConfigurationProvider";
            // string strProvider = "RSAProtectedConfigurationProvider";

            System.Configuration.Configuration oConfiguration = null;
            System.Configuration.ConnectionStringsSection oSection = null;

            try
            {
                // Open the configuration file and retrieve 
	       // the connectionStrings section.

                // For Web!
                // oConfiguration = System.Web.Configuration.
	       //                  WebConfigurationManager.OpenWebConfiguration("~");

                // For Windows!
                // Takes the executable file name without the config extension.
                oConfiguration = System.Configuration.ConfigurationManager.
                                                OpenExeConfiguration(pathName);

                if (oConfiguration != null)
                {
                    bool blnChanged = false;

                    oSection = oConfiguration.GetSection("connectionStrings") as
                System.Configuration.ConnectionStringsSection;

                    if (oSection != null)
                    {
                        if ((!(oSection.ElementInformation.IsLocked)) &&
                (!(oSection.SectionInformation.IsLocked)))
                        {
                            if (protect)
                            {
                                if (!(oSection.SectionInformation.IsProtected))
                                {
                                    blnChanged = true;

                                    // Encrypt the section.
                                    oSection.SectionInformation.ProtectSection
								(strProvider);
                                }
                            }
                            else
                            {
                                if (oSection.SectionInformation.IsProtected)
                                {
                                    blnChanged = true;

                                    // Remove encryption.
                                    oSection.SectionInformation.UnprotectSection();
                                }
                            }
                        }

                        if (blnChanged)
                        {
                            // Indicates whether the associated configuration section 
                            // will be saved even if it has not been modified.
                            oSection.SectionInformation.ForceSave = true;

                            // Save the current configuration.
                            oConfiguration.Save();
                        }
                    }
                }
            }
            catch (System.Exception ex)
            {
                throw (ex);
            }
            finally
            {
            }
        }
    }
}

Points of Interest

After I learned this feature, I used it in all of my Windows/Web based applications!

History

  • 8th September, 2007: First release

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Dariush Tasdighi
Web Developer Sematec Ins.
Iran (Islamic Republic of) Iran (Islamic Republic of)
My experiences are:

HTML 5.0, CSS 3.0
JQuery, Angular JS, Bootstrap

MVC 5.0, WEB API, c#

My Site URLs:
http://www.IranianExperts.ir
http://www.IranianExperts.com

My Yahoo Group URL: http://groups.yahoo.com/group/iranianexperts

Mobile: 0098-912-108-7461
Address: Tehran, Tehran, Iran

Comments and Discussions

 
First Prev Next
QuestionCan't run when copy file .exe to client another Pin
cncamau24-Dec-23 22:44
cncamau24-Dec-23 22:44 
PraiseThank you Pin
Harini Maisuriya2-Aug-22 19:36
Harini Maisuriya2-Aug-22 19:36 
QuestionNot working. Pin
sunayv20-Jun-13 0:41
sunayv20-Jun-13 0:41 
Questionخیلی استادی. استاد Pin
hamed elahi16-Mar-13 1:58
hamed elahi16-Mar-13 1:58 
QuestionTwo different computer can't read the same encrypted file Pin
biczek26-Jan-13 6:02
biczek26-Jan-13 6:02 
AnswerRe: Two different computer can't read the same encrypted file Pin
SergioMF20-Aug-14 5:14
professionalSergioMF20-Aug-14 5:14 
GeneralRe: Two different computer can't read the same encrypted file Pin
hussein wajeeh22-Mar-15 8:26
professionalhussein wajeeh22-Mar-15 8:26 
GeneralMy vote of 5 Pin
Manoj Kumar Choubey29-Mar-12 23:28
professionalManoj Kumar Choubey29-Mar-12 23:28 
Questiondidn't work for me, full of bugs. Pin
Member 238286828-Jun-11 16:52
Member 238286828-Jun-11 16:52 
GeneralMy vote of 5 Pin
VirtualIdeal7-Dec-10 16:21
VirtualIdeal7-Dec-10 16:21 
GeneralMy vote of 5 Pin
Reyhaneh22-Sep-10 8:35
Reyhaneh22-Sep-10 8:35 
QuestionWhat's the difference? Pin
Greizzerland18-Jan-10 7:19
Greizzerland18-Jan-10 7:19 
GeneralSeems unsecure Pin
xr280xr2-Mar-09 6:14
xr280xr2-Mar-09 6:14 
GeneralRe: Seems unsecure PinPopular
CStroliaDavis24-Jun-09 11:34
CStroliaDavis24-Jun-09 11:34 
Hey xr,

The security provided by encrypting web.config is experienced, primarily in the following ways:
1. By preventing external users from seeing private information in web.config files that are exposed to the public (usually unintentionally).
2. This helps prevent leakage of information through privileged users who are basically honest.

In the first case, a common scenario is when the web.config is updated, sometimes, inexperienced administrators will backup the old configuration file with a name like web.config.old. or .bak or something like that. A malicious user will often try out these types of variations, since these are not (or at least weren't) hidden by IIS. This would give them a text file showing them many of the configuration settings.

As for people who have direct access to the computer/server where the web.config resides, it is actually quite easy to decrypt this information. Ideally, the only people who have access to these files are people who are authorized to view them. In any case, it is still helpful to have that extra layer of protection that prevents these users from seeing the userName and password combinations for static accounts. Even though, they could get the information if they wanted to, as a general rule, they don't have to see that information if they are in the configuration file, modifying non sensitive values. If a malicious user were to try to get them to divulge sensitive information that normally resides in web.config, chances are that information would be unknown, and the process necessary to get that information might take just enough effort to wake them up to what's happening.

Make no mistake, many malicious users are experts at social engineering and can often, easily get sensitive information from people who are not paying attention. Adding that extra layer of security can help to minimize the risk a little.

By the way, the key is generally created automatically on whatever the machine the web site is running on. It is possible to generate specific keys for combinations of the machine, user or website on any given machine, and these can be set to behave a certain way within the machine.config file, or even influenced (to some extent) in the web.config files themselves.

By default, a web.config that is encrypted on one machine cannot be decrypted on a different machine. It is possible to have a key that is shared across multiple machines so that web.config files can be copied without decrypting them first.

I don't recall, but I believe the same key is, or can be, used for encrypting the user tokens when a user authenticates to a particular web site. This is where a shared key can be more beneficial, since a user may move from one server to another in a web farm. When they are logged into a web site it would be necessary for the other servers to be able to determine if the user is already logged in or not.

I hope this information is useful
QuestionCan not be declassified Pin
lvxiaojiang26-Jun-08 17:54
lvxiaojiang26-Jun-08 17:54 
QuestionHow can I apply it on Window service Pin
bmwgamil18-Oct-07 11:16
bmwgamil18-Oct-07 11:16 
NewsTwo other related encryption articles in CodeProject ... Pin
Tony Selke27-Sep-07 7:05
Tony Selke27-Sep-07 7:05 
GeneralVeiled Attempt at Social Engineering Pin
DumpsterJuice9-Sep-07 4:30
DumpsterJuice9-Sep-07 4:30 
GeneralRe: Veiled Attempt at Social Engineering Pin
Dariush Tasdighi9-Sep-07 22:03
Dariush Tasdighi9-Sep-07 22:03 
GeneralRe: Veiled Attempt at Social Engineering Pin
DumpsterJuice10-Sep-07 1:04
DumpsterJuice10-Sep-07 1:04 
GeneralTopic already covered Pin
Vasudevan Deepak Kumar9-Sep-07 2:47
Vasudevan Deepak Kumar9-Sep-07 2:47 
GeneralRe: Topic already covered Pin
Dariush Tasdighi9-Sep-07 3:40
Dariush Tasdighi9-Sep-07 3:40 
Last Visit: 31-Dec-99 18:00     Last Update: 27-May-24 4:14Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 8 Sep 2007

Article Copyright 2007 by Dariush Tasdighi
Everything else Copyright © CodeProject, 1999-2024

Web04 2.8:2024-05-23:1