Web.config encryption in shared hosting scenario

[Jazza]

Hi, I am an experienced .Net developer, but new to ASP.Net 2.0.

I have been using the Personal Web Site Starter Kit and have successfully
uploaded the site to a shared hosting provider. I am connecting to the SQL
database via SQL authentication rather than Windows authentication, as I have
no control over the Windows user accounts. This means the SQL user name and
password are in clear text in the connection string in web.config.

Therefore, best practice dictates that I encrypt the web.config file to hide
the SQL login details. But the only way to encrypt a section of the config
file is to run aspnet_regiis.exe on the server, to which I have no access.

What are my options, if any, for protecting my config file? Does anyone know
of any resources on how to create a custom encryption scheme?

Regards,

Jazza

 

[Adriano Labate]

Hello Jazza,

I saw your post because I have a similar problem.

I just begin to search for a solution because the customer does not allow
access to the web server where my application has to be deployed. I would
like to encrypt the database connection string located in the web.config.

Did you found a solution to this problem? Thanks

Sincerly,
Adriano

 

[Jazza]

Hi,

The answer I eventually got was that you can create a custom encryption
provider based on one of the built-in providers; you encryt the web.config
file using the custom scheme. The key used to encrypt the file is then saved
in a file that resides in a secure part of your web application.

You can then decrypt the web.config file using the same key.

I haven't implemented this as I decided that it was not worth the effort
involved.

 

[Dominick Baier]

You can do it programmatically.

Open the config using WebConfigurationManager, get the section using GetSection(),
and call Protect() on the SectionInformation you get back.