Storing Encrypted Connection Strings in Web Applications
It’s common
practice to store connection strings in the Web.config file. This makes it easy to change
the connection string without requiring a recompile of the application. However, connec-
tion strings can contain logon information such as user names and passwords. You certainly
don’t want this information to be easily readable by anyone. The solution is to encrypt the
connection strings. You can do this by using the aspnet_regiis.exe utility to encrypt the
connectionStrings section. You can use the /? option to get help on the utility.
You encrypt and decrypt the contents of a Web.config file by using System.Configuration
.DPAPIProtectedConfigurationProvider, which uses the Windows Data Protection API (DPAPI)
to encrypt and decrypt data, or System.Configuration.RSAProtectedConfigurationProvider ,
which uses the RSA encryption algorithm to encrypt and decrypt data.