Advertuse

Search This Blog

Your Ad Here

Wednesday, 29 June 2011

When your client will concern about his db password


Hi friends,

When you get a client who is more technical ,then it accentuate on safety of his critical data. Recently I faced such type of client. When my client went through publish asp.net project on server and he found that our db password inside  web.config ‘s connection string , and  expressed his concern for  it safety of db password. so   he suggested me not to  placed in web.config moreover he asked me to  hardcoded that password in my asp.net code and obfuscate that dll..!!.

But this is rubbish idea..!!, so I have  used technique to encrypt  some part of configuration section of web.config  using Aspnet_regiis.exe tool to encrypt sections(in my case i did only connectionstring) of my project’s web.config.
 microsoft  .net framework by default  provides following  protected configuration provider
  1. RsaProtectedConfigurationProvider
  2. DataProtectionConfigurationProvider
I have  implemented   RsaProtectedConfigurationProvider for my project,

 I have done only connection-string encryption, as this encryption will increase the  some overhead in  asp.net application system hence it may affect the performance of our application. so microsoft suggested to do only those section which are more concern with security. so in  my case I will do encryption for only connection string section.

before encryption my connection string was something like  this ..





 
Then  I have run  following  command  to encrypt my   connection string 


And  I got following changes in my  web.config


 I hope you like  this trick which is available since .net framework 2.0 to encrypt your certain data in webconfig

Compile by
Divyang Panchasara



No comments: