原文链接:https://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
web.config中一般会存放一些关键的信息,比如数据库链接字串,如果没有加密,就会有安全风险。
本次文章转载一个印度小哥写的教程,使用.net framwork自带的aspnet_regiis组件为web.config加密
Introduction
The tip gives you information about how to encrypt the connection string in Web.Config to increase the security and keep the connection with the database secure. There is so much other sensitive information that can be encrypted but in this tip, I'll particularly talk about encrypting the ConnectionString
in Web.Config file.
Why It Is Important?
Encrypting sensitive sections of the Web.Config is important because they are just that, sensitive. Think about production Web.Config file. It may contain all information that requires running your web application. There are often passwords for SQL database connections, SMTP server, API Keys, or other critical information. In addition to this, Web.Config files are usually treated as just another source code file, that means, any developer on the team, or more accurately anyone with access to the source code, can see what information is stored in Web.Config file.
Encrypting the Connection String
In our example, we will encrypt ConnectionString
in our Web.Config file.
Before Encrypting Web.Config
If you look at the below Config file, it can be easily readable. This doesn't seem to be secure if anyone has access to your Web.Config file.
<configuration>
<connectionStrings>
<add name="SqlServices" connectionString="Data Source=localhost;Integrated Security=SSPI;Initial Catalog=Northwind;" />
</connectionStrings>
</configuration>
Encrypting Web.Config
- Open Command Prompt with Administrator privileges
- At the Command Prompt, enter:
Hide Copy Code
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
- In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the
ConnectionString
:Hide Copy CodeASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"
Use Aspnet_regiis.exe tool with the
–pef
option and specify the application path as shown above.Note: The parameter "
connectionStrings
" is case sensitive.
After Encrypting Web.Config
After encrypting your ConnectionStrings
section, your ConnectionStrings
will not be in a readable format.
<configuration>
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>ZbDTF00MYzUUW5U3w3PU0rfiAH1UKhvuLSNWPmB/YifBKne6HAWfVc3CnKVimyP8SFyamaR5oAIAxj/xavfpox8EOYXNI+afsksiuA5huSDupCZKNuXq+VCZrdIyn6YOq+W7s3Ojlu7q9VwKcoKurl28l2hcPvWkBk11KYB7hr0=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>42IPPRUjJxCNDHEBLCAJI4/NyLpLueZSBzUXO69lVdZU8+nLpxO+opnbZNxqddyzNnbCO1Uk2Da3ljExkqnLIxT2zs90JAhZvJ5ljIgCipq7ZEp7zHOpvTH9fBGoZJJWhgdddOrHZsLDE9mILjlvBHDhPQrYcMHtY6oLIbxJq92it82iBJv0fS7v1S/o0p4hAtfky+6hXCZWSKUJHr88NDrKe2EEK3mazD2QD5Ozf/w=</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
</configuration>
Accessing Decrypted Configuration Settings
It’s very good to know that ASP.NET automatically decrypts the contents of the Web.Config file when it processes the file. Therefore, no additional steps are required to decrypt the encrypted configuration settings. You can run your existing application by encrypting your Web.Config file and it will run perfectly without any modification to your existing code. Isn't that interesting?
string ConnString = ConfigurationManager.ConnectionStrings[1].ToString();
Decrypting the Connection String
Is it possible to decrypt my Web.Config so that I can read it in original format?
Yes, it is possible.
Simply perform the following command to decrypt the connectionStrings
element in the Web.config file.
ASPNET_REGIIS -pdf "connectionStrings" "D:\Articles\EncryptWebConfig"
Note: The parameter "connectionStrings
" is case sensitive.
Questions and Answers
1. You might ask me a question if Web.Config file can be encrypted and decrypted using ASPNET_REGIIS
then anyone who has access to Web.Config file can decrypt the content, right?
To answer this question, I would say no, if you encrypt your Config file, then your machine would store your keys and if you copy the Config file to a different system and try to decrypt it, then you might get an error.
Pros
- Web.Config sensitive information is not in a readable condition (after encryption)
- You don't have to explicitly write code to decrypt the Web.Config file as ASP.NET automatically decrypts the configuration and processes your request
Cons
- You can't modify the encrypted content on the fly. It requires you to decrypt the content before editing.
Points of Interest
Web.Config encryption only takes a couple moments and provides much more security than a clear-text file. It may not be enough to thwart a hacker that has full access to your entire server.
I'm encrypting all my sensitive data stored in Web.Config after learning the concept of encryption. How about you?