Hello everyone - I've been trying to find a way to encrypt or further secure the web.config file for my website. I have read a lot of guides and my main limitation from these is that I am using web hosting on a shared server (GoDaddy, specifically) so I do not have access to root drive or command line on the server. The main reason I want to be able to secure this is so that I can build a non-billing (doesn't require Meaningful Use) electronic health records application - I need a way to connect to a SQL database and access health information. SSL is a no-brainer, but that protects the transport... I am hoping that since I also have similar restrictions on what I can do to the database, that I can secure my connection strings and include a key to encrypt and decrypt data stored on the server from the application side since server side doesn't appear to be an option.
The problem with just decrypting-on-demand in the backend of any page seems to be the same problem as leaving the connection string in the web.config... while neither are served to a user on the site, anyone with file access to the site directory can open the files and get the connection strings anyways.
One possible solution would appear to just rent a virtual server, which gives the me ability to try the normal routes, but that would be cost-prohibitive.
What I have tried:
So far, the methods I've seen have required changing IIS settings through the command line, decrypting a pre-encrypted connection string in the .cs page back-end, and attempting to use the WebConfigurationManager a la
this guide, which works swimmingly on localhost but access is denied once it's deployed to production.
Submit an article or tip