If you suffer from deep paranoia like me, you'll find a little disturbing to declare all your connection strings in the new <connectionsStrings> section of your web application's Web.config file. This is how it looks like before encrypting:
<connectionStrings>
<add name="Pubs" connectionString="Server=localhost;Integrated Security=True;Database=Pubs"
providerName="System.Data.SqlClient" />
<add name="Northwind" connectionString="Server=localhost;Integrated Security=True;Database=Northwind"
providerName="System.Data.SqlClient" />
</connectionStrings>
Behold ASP.NET 2.0 new security features. Now you can actually encrypt any section of your Web.config file on-the-fly and programatically. If you have full access to your Web server, you can encrypt your connection strings with this single command-line located in the in the %windows%\Microsoft.NET\Framework\versionNumber folder:
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
If you can't execute commands in your web server, for example, when using shared hosting, you still can encrypt it programatically:
Configuration config = Configuration.GetWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.Sections["connectionStrings"];
section.ProtectSection ("DataProtectionConfigurationProvider");
config.Update();
Now, the section in your Web.config file will look like this:
<connectionStrings>
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMndjHoAw...</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
I hope you found this article useful. Happy coding!
This thread is for discussions of Encrypting Web.config sections in ASP.NET 2.0.
Encrypting Configuration section...
A configuration file cannot be created for the requested Configuration object.
Failed!
I have multiple websites on my webserver. I have one under the wwwroot which I encrypted using an app path in the -app parameter that was simply:
aspnet_regiis -pe "connectionStrings" -app "/"
I have another which happens to be subweb. I did it like:
aspnet_regiis -pe "connectionStrings" -app "/main/subweb"
This one also worked.
Then I tried it with one of my other ones which was not a subweb, I'll call it app2
aspnet_regiis -pe "connectionStrings" -app "/app2"
Now the way these webs are physically on the disc, the first one is under the inetpub/wwwroot and all of the rest are webs that are under a directory which I've named c:/myWebs. So the actual physical sites are as follows:
c:/myWebs/main/subweb
c:/myWebs/app2
The documentation that I can find says that the -app refers to the virtual directory so I am wondering if I am putting in the correct parameter for the -app keyword. Actually the name is pretty long - 23 characters, so maybe that could be a problem too.
Anyway, I was thinking of doing this programatically, but then I wondered how would that actually work? Would I create a special page that only I could access that would have an encrypt and decrypt button? Otherwise, what would prevent a casual hacker from going in and encrypting it? or decrypting it? I think I'm missing part of the equation -- perhaps you can enlighten me...
Thanks,
I noticed you found your own answer - and if anyone else comes here looking for the answer, they can see your solution at:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=218559&SiteID=1
(which is basically to go to the properties of the folder, select the Web Sharing tab, and select "Share this folder")
Thanks! :)
The error I get using C# 3.0 - System.Configuration.Configuration does not contain a definition for 'GetWebConfiguration'
Fix - System.Configuration.Configuration objConfig = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);