Encrypting/Decrypting Connection String

[VB Programmer]

I have my SQL Server connectionstring in my web.config file. I'm scared
that someone will open the file and get my username/password. How do I
encrypt, then decrypt the connection string in the web.config file?

 

[Guest]

User the DP API provided by Microsoft or use the .net crypto api which is
included in the .net framework. Essentally, you will have to write a app
that would encrypt this connection string, then copy and paste it in your
web.config. Then you will have to implement a funciton in your code to
decrypt the string.

 

[Steve C. Orr [MVP, MCSD]]

One of the best techniques is to use a trusted connection. That way you
don't need
to list a username or password so there is nothing to hide.
If this is not possible, you can alternately store the username and password
encrypted
in the registry.
Here's more information:
http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrfidentitysection.asp

 

[Sahil Malik]

In addition to Steve's reply you might also find the following valuable -

(How To Store an Encrypted Connection String in the Registry)
http://msdn.microsoft.com/library/en-us/secmod/html/secmod25.asp?frame=true

Might I add - there are mixed opinions about web apps accessing registry -
some guys think it's cool, some think it's not. My personal view is - as far
as security goes - that can be worked around in an acceptable manner - the
one issue the above mentioned link doesn't address is - registry is
SLOWWWWWWWW as a world war 2 tank !!!. (Like a WW2 tank .. it took a lot of
cra~p).

But then that can be worked around - it's easy - cache the connectionstring;
and setup a dependency similiar to FileDependecy or SqlDependency; and bingo
you just avoided the last argument against registry - performance.

- Sahil Malik
http://dotnetjunkies.com/weblog/sahilmalik