Home/ Questions/Q 6852057
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T01:19:30+00:00

I’m currently working on a ASP.NET MVC web site, and I’ve come up to

  • 0

I’m currently working on a ASP.NET MVC web site, and I’ve come up to a point where I need to integrate a database into the website.

Normally I would simply add the appropriate connection string to the Web.config file:

<add name="MainDB" 
    connectionString="Server=localhost; Database=TopSecretData; User Id=Joe;
    password=password" providerName="System.Data.SqlClient" />

But there’s obviously a glaring security flaw if I leave my User Id and password right in the Web.config, especially when it’s under source control.

In short: How can I store my connection string details without having it publicly visible?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Best practice is to encrypt your connection strings section. Use aspnet_regiis.exe, which can be found in various places:

    • Start – Visual Studio – Visual Studio Tools – Visual Studio Command Prompt
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319 (making sure you run as an administrator)

    Before:

    <configuration>
<connectionStrings>
<add name="MainConnectionString" 
 connectionString="data source=Ratbert;database=Sales;username=ASPNET;password=$Double_Rainbow2011" 
 providerName="System.Data.SqlClient"/>
</connectionStrings>
</configuration>

    Run this command:

    aspnet_regiis –pef connectionStrings c:\PathToWebSite

    Or, if the above command doesn’t work (and you get the aspnet_regiis help text), try

    aspnet_regiis -pe connectionStrings -app "/" -site 6

    where the “6” is the ID of the site as reported in IIS.

    After:

    <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
   xmlns="http://www.w3.org/2001/04/xmlenc#">
   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
     <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <KeyName>Rsa Key</KeyName>
     </KeyInfo>
     <CipherData>
      <CipherValue>Bf677iFrUFW ... +4n4ZZKXCTUAu2Y=</CipherValue>
     </CipherData>
    </EncryptedKey>
   </KeyInfo>
   <CipherData>
    <CipherValue>UDEZ ...QfXUmM5rQ==</CipherValue>
   </CipherData>
  </EncryptedData>
 </connectionStrings>

    Now that it is garbled, you can’t edit it.
    Decrypt like this:

    aspnet_regiis –pdf connectionStrings c:\PathToWebSite

    Or

    aspnet_regiis -pd connectionStrings -app "/" -site 6

    And then change and re-encrypt.

    To read the connection string, use the ConfigurationManager static class.

    string connStr = 
ConfigurationManager
.Connectionstrings["MainConnectionString"]
.ConnectionString.ToString();

var myConnection = new SqlConnection(connStr);

myConnection.Open();
    • 0