ASP.NET 2.0 Encrypted Connection String

[JohnMSyrasoft]

I have a question regarding the storage and encryption of connection string
data within an ASP .Net application that I am writing. I am using ASP .NET
2.0 and have just recently downloaded the latest CTP Beta 2 version of
Whidbey. After some trial and error, I am faced with three options and would
like to know what would be the best way to proceed.

Option 1:

My original idea was to do things a little differently by storing my
appSettings in a different file using the convenient external linking
capability in the web.config file:

<appSettings file="filename.config">

My connection string information is stored under the appSettings section. I
purposely wanted to leave out appSettings from the web.config file.

So my filename.config looks something like this:

<appSettings>
<add key=�ConnectString� value=�connectstringvalue….�></add>
<add key=�secondkey� value=�secondvalue�></add>
<add key=�thirdkey� value=�thirdvalue�></add>
</appSettings>

My question is, can I have the best of both worlds by using this external
linkage capability as well as using the ConfigurationManager in this code to
encrypt my appSettings:

Public Sub EncryptAppSettings(ByVal protectionProvider As String)
'---open the web.config file
Dim config As System.Configuration.Configuration =
ConfigurationManager.OpenWebConfiguration(_virtual AppPath)
'---indicate the section to protect
Dim section As ConfigurationSection = _
config.Sections("appSettings")
'---specify the protection provider
If Not section.SectionInformation.IsProtected Then

section.SectionInformation.ProtectSection(protecti onProvider)
'---Apple the protection and update
config.Save()

End If

End Sub

The problem is that "config.Save()" dumps all my appSettings directly into
web.config.
So first of all, is this option even possible? If so, then what am I doing
wrong or not doing at all? If this is not feasible, then I think it leaves me
to choose between Option 2 & Option 3.

Option 2:

Instead of using the ConfigurationManager for encryption/decryption, I would
write my own encryption/decryption methods that use the classes in the
System.Xml and System.Security.Cryptography namespaces to access my
connection string key in my appSettings file, and then encrypt or decrypt it.
I would call these methods any place within my application where the data
needs to be accessed via the connection string.

Option 3:

Instead of storing my connection string information under appSettings, I
would revert back to storing it in my web.config file under the
<connectionStrings> tag and use the following code whenever it needs to be
replaced with a new encrypted connection string:

Dim connectString As New ConnectionStringSettings

ConfigurationManager.ConnectionStrings.RemoveAt(0)
connectString.Name = "EarltonConnection"
connectString.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=" & smsPath & ";Persist Security Info=True;Jet OLEDB:Database
Password=holly"

ConfigurationManager.ConnectionStrings.Add(connect String)
Me.EncryptConString("RSAProtectedConfigurationProv ider")

End Sub
-------------------------------------------------------------------
Public Sub EncryptConString(ByVal protectionProvider As String)
'---open the web.config file
Dim config As System.Configuration.Configuration =
ConfigurationManager.OpenWebConfiguration(_virtual AppPath)
'---indicate the section to protect
Dim section As ConfigurationSection = _
config.Sections("connectionStrings")
'---specify the protection provider
If Not section.SectionInformation.IsProtected Then
section.SectionInformation.ProtectSection(protecti onProvider)
'---Apple the protection and update
config.Save()
End If

End Sub

Correct me if I am wrong, but option 3 would remove the need to have to
write my own decryption function since automatic decryption occurs for
controls that need to connect to the database, and also due to the fact that
I am not technically changing the connection string (I would not be allowed
to anyway since it is a ReadOnly property) but replacing it with a new one.

Please advise which of the three options would be the best in terms of
security and feasibility(Ideally I would like to use Option 1, leaving out
the connection string from my web.config file, but from my own experience, it
will not seem to work) Thank you,

Sabeeh

[Brock Allen]

I'd suggest against #2, as writing your own security code tends to make you
app less secure. Also, you'll have a key management issue if you do your
own encryption and then you're back to the original problem.

As for Option #1, you might be able to manually copy all that goo out and
put it into the external file, but then that's all manual, so you might be
out of luck. Though, the AppSettingsSection class has a File property. I've
not tried it myself, but perhaps you could specify the filename prior to
saving.

I'd go with Option #3. You are correct in saying that once the <connectionStrings>
is encrypted, you don't have to do anything special to read them -- they're
decrypted prior to you calling the APIs (though that's true with any section
encrypted with Protect()). Also, the benefit to this approach is that other
controls use the <connectionStrings> so you simply configure them with your
connection string name. If you stored that info elsewhere, then they'd not
know where to look for the DB information.

-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]

> I have a question regarding the storage and encryption of connection
> string data within an ASP .Net application that I am writing. I am
> using ASP .NET 2.0 and have just recently downloaded the latest CTP
> Beta 2 version of Whidbey. After some trial and error, I am faced
> with three options and would like to know what would be the best way
> to proceed.
>
> Option 1:
>
> My original idea was to do things a little differently by storing my
> appSettings in a different file using the convenient external linking
> capability in the web.config file:
>
> <appSettings file="filename.config">
>
> My connection string information is stored under the appSettings
> section. I purposely wanted to leave out appSettings from the
> web.config file.
>
> So my filename.config looks something like this:
>
> <appSettings>
> <add key="ConnectString" value="connectstringvalue.."></add>
> <add key="secondkey" value="secondvalue"></add>
> <add key="thirdkey" value="thirdvalue"></add>
> </appSettings>
> My question is, can I have the best of both worlds by using this
> external linkage capability as well as using the ConfigurationManager
> in this code to encrypt my appSettings:
>
> Public Sub EncryptAppSettings(ByVal protectionProvider As String)
> '---open the web.config file
> Dim config As System.Configuration.Configuration =
> ConfigurationManager.OpenWebConfiguration(_virtual AppPath)
> '---indicate the section to protect
> Dim section As ConfigurationSection = _
> config.Sections("appSettings")
> '---specify the protection provider
> If Not section.SectionInformation.IsProtected Then
> section.SectionInformation.ProtectSection(protecti onProvider)
> '---Apple the protection and update
> config.Save()
> End If
>
> End Sub
>
> The problem is that "config.Save()" dumps all my appSettings directly
> into
> web.config.
> So first of all, is this option even possible? If so, then what am I
> doing
> wrong or not doing at all? If this is not feasible, then I think it
> leaves me
> to choose between Option 2 & Option 3.
> Option 2:
>
> Instead of using the ConfigurationManager for encryption/decryption, I
> would
> write my own encryption/decryption methods that use the classes in the
> System.Xml and System.Security.Cryptography namespaces to access my
> connection string key in my appSettings file, and then encrypt or
> decrypt it.
> I would call these methods any place within my application where the
> data
> needs to be accessed via the connection string.
> Option 3:
>
> Instead of storing my connection string information under appSettings,
> I would revert back to storing it in my web.config file under the
> <connectionStrings> tag and use the following code whenever it needs
> to be replaced with a new encrypted connection string:
>
> Dim connectString As New ConnectionStringSettings
>
> ConfigurationManager.ConnectionStrings.RemoveAt(0)
> connectString.Name = "EarltonConnection"
> connectString.ConnectionString =
> "Provider=Microsoft.Jet.OLEDB.4.0;Data
> Source=" & smsPath & ";Persist Security Info=True;Jet OLEDB:Database
> Password=holly"
> ConfigurationManager.ConnectionStrings.Add(connect String)
> Me.EncryptConString("RSAProtectedConfigurationProv ider")
>
> End Sub
> -------------------------------------------------------------------
> Public Sub EncryptConString(ByVal protectionProvider As String)
> '---open the web.config file
> Dim config As System.Configuration.Configuration =
> ConfigurationManager.OpenWebConfiguration(_virtual AppPath)
> '---indicate the section to protect
> Dim section As ConfigurationSection = _
> config.Sections("connectionStrings")
> '---specify the protection provider
> If Not section.SectionInformation.IsProtected Then
>
> section.SectionInformation.ProtectSection(protecti onProvider)
> '---Apple the protection and update
> config.Save()
> End If
>
> End Sub
>
> Correct me if I am wrong, but option 3 would remove the need to have
> to write my own decryption function since automatic decryption occurs
> for controls that need to connect to the database, and also due to the
> fact that I am not technically changing the connection string (I would
> not be allowed to anyway since it is a ReadOnly property) but
> replacing it with a new one.
>
> Please advise which of the three options would be the best in terms of
> security and feasibility(Ideally I would like to use Option 1, leaving
> out the connection string from my web.config file, but from my own
> experience, it will not seem to work) Thank you,
>
> Sabeeh
>