Encrypted Connection String

[Scott M.]

How would I go about taking my DB connection strings and putting them into
my Web.Config file in encrypted form? Of course, I'd need to know how to
call and decrypt them from the various .aspx pages that need the info.

Thanks!

[MSFT]

Hi Scott,

Normmally, the client user can't access the web.config and we can consider
the connection string is safe without encryption. If you do want to encrypt
a string in web.config, you may take a look at classes in
System.Security.Cryptography Namespace:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/[/url]
frlrfSystemSecurityCryptography.asp

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[Scott M.]

Hi Luke. Thanks for your reply. The link you posted will be helpful. The
only comment I have is that "normally" the client user can't get the the
source code of the ASP.NET page either, but we don't consider putting
connection strings in them a safe thing to do so encryptioin AND using
web.config gives us a second and third line of defense.



"MSFT" <lukezhan@online.microsoft.com> wrote in message
news:VZMs8xtwDHA.3972@cpmsftngxa07.phx.gbl...

> Hi Scott,
>
> Normmally, the client user can't access the web.config and we can

consider

> the connection string is safe without encryption. If you do want to

encrypt

> a string in web.config, you may take a look at classes in
> System.Security.Cryptography Namespace:
>
>

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/[/url]

> frlrfSystemSecurityCryptography.asp
>
> Luke
> Microsoft Online Support
>
> Get Secure! [url]www.microsoft.com/security[/url]
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>

The November issue of MSDN magazine has an article on this
topic.

>-----Original Message-----
>Hi Luke. Thanks for your reply. The link you posted

will be helpful. The

>only comment I have is that "normally" the client user

can't get the the

>source code of the ASP.NET page either, but we don't

consider putting

>connection strings in them a safe thing to do so

encryptioin AND using

>web.config gives us a second and third line of defense.
>
>
>
>"MSFT" <lukezhan@online.microsoft.com> wrote in message
>news:VZMs8xtwDHA.3972@cpmsftngxa07.phx.gbl...

>> Hi Scott,
>>
>> Normmally, the client user can't access the web.config

and we can

>consider

>> the connection string is safe without encryption. If

you do want to

>encrypt

>> a string in web.config, you may take a look at classes

in

>> System.Security.Cryptography Namespace:
>>
>>

>[url]http://msdn.microsoft.com/library/default.asp?[/url]

url=/library/en-us/cpref/html/

>> frlrfSystemSecurityCryptography.asp
>>
>> Luke
>> Microsoft Online Support
>>
>> Get Secure! [url]www.microsoft.com/security[/url]
>> (This posting is provided "AS IS", with no warranties,

and confers no

>> rights.)
>>

>
>
>.
>