0

i want to secure a connectionstring so it is not possible to "read" it out for any purpose.

at the moment i'm doing it like this and i know it is like the Windows Firewall, open in all directions...

private static string connStr = "server=localhost;user=MySuperSecretUser;database=MySuperSecretDatabase;port=3306;password=MySuperSecretPassword;sslMode=none;";
private static MySqlConnection conn = new MySqlConnection(connStr);
private static MySqlConnection conn2 = new MySqlConnection(connStr);

does anybody know how i can secure it so nobody is able to help me out here?

Improve this question
8
  • 3
    not possible to "read" it out for any purpose - then you might as well delete it. Commented Sep 12, 2018 at 8:36
  • 1
    I know it can be done using Encrypt Configuration Files. Here is some documentation about that Commented Sep 12, 2018 at 8:36
  • 3
    want to secure a connectionstring so it is not possible to "read" it out for any purpose. this is... wait, what the connection string for then? though if its on web.config you can encrypt it.. Commented Sep 12, 2018 at 8:36
  • Here's hoping this is for a web API/server application and not an application released to end users. Commented Sep 12, 2018 at 8:39
  • @ChristianMurschall That encryption can be reversed either with RSA being used or DPAPI as long as the decryption is run under the same machine and user (would have access to the same key storage used to encrypt it). Commented Sep 12, 2018 at 8:43

2 Answers 2

Reset to default
1

If you are using standard .Net. Follow below steps for encrypting the Connection String

Encrypting Web.Config

Step 1 Open Command Prompt with Administrator privileges

Step 2 At the Command Prompt, enter below command

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319

Step 3:

In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString. Please note that ConnectionString is case sensitive

ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"

Accessing Decrypted Configuration Settings

ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings.

string ConnString = ConfigurationManager.ConnectionStrings[1].ToString();

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can encrypt it, but if your code can use it, someone with access to the code can also decrypt it.

The solution I've seen is for the developers to restrict access to the code, and for the server admin team to restrict access to the config files.

The server admin team (who already know this information) use the encryption tool to set up the config file on the web server. The programmers can't access the config file and any hacker that reads the config file can't decrypt it.

Improve this answer

1 Comment

Any hacker with access to the right account can decrypt it. Hint: how does the app use the connectionstring?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.