How To Encrypt Connection Strings in ASP.NET

Although a connection string stored in the web.config file is relatively safe since it will never be served to users by IIS, it is still best practice to encrypt all connection strings used in the ASP.NET application.

You can use the  Aspnet_regiis.exe tool to do this with the -pe (provider encryption) command option to encrypt sections of the Web.config file. To encrypt the connectionStrings section   run the below  command from the command prompt:

aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI"

-prov "DataProtectionConfigurationProvider"

In the above command, -pre specifies which configuration section to encrypt, -app specifies the virtual path to the application and -prov specifies the provider name (the .NET Framework supports RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider protected configuration providers)

  • RSAProtectedConfigurationProvider. The default provider which uses the RSA public key encryption to encrypt and decrypt data. You should use this provider to encrypt config files for used on several Web servers in a Web farm.
  • DPAPIProtectedConfigurationProvider. This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data. Use this provider to encrypt config files used on a single server.

It is not necessary to take any steps to decrypt the data since the ASP.NET runtime handles this seamlessly.

Note that you should also consider encrypting the <appSettings> , <indentity> and <sessionState> sections of the web.config file since these may also contain sensitive data.

One thought on “How To Encrypt Connection Strings in ASP.NET

  1. Pingback: ASP.NET Security Tutorial | ASP.NET 101

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>