Connection string encryption and decryption🔐

Suli Ahmed
3 min readSep 1, 2022

--

Connection strings contain sensitive data of the database you are connecting to, such as Username and password. those connection strings are available under the web.Config file which is like any other source code file, means, any developer on the team, or more accurately anyone with access to the source code, can see what information is stored in Web.Config file.

In this article, I will focus on encrypting the Connection String section only using RSA Protected Configuration provider and the Aspnet_regiis.exe tool (The Aspnet_regiis.exe tool is located in the %windows%\Microsoft.NET\Framework\versionNumber folder).

To encrypt any configuration of web.config , we use the Aspnet_regiis.exe tool with –pe option and the name of the configuration element we want to encrypt. but before performing the encryption we must create the RSA container( RSA encryption algorithm is a type of public-key encryption algorithm read more on RSA algorithm here). Because we want to deploy the website into multiple servers. so it’s important to create and export RSA key container first. and then the same exported RSA key container must be deployed to those servers. To do this, we have to create an RSA key container for the application, export it to an XML file, and import it on each server that needs to decrypt the encrypted Web.config file.

  • Creating RSA Key Container

We can use the ASP.NET IIS registration tool to create new RSA key container with the -pc switch. we have to give the key container a name that matches the RSA section in web.config. to make sure the RSA key container can be exported, we should use -exp option.

The next step is granting authority to access RSA Key Container. we use -pa to add authority.

Which grants NETWORK SERVICE account access to read the machine-level RSA key container.

  • Encrypt the web.config by using RSA provider

To encrypt the connection string, we can easily use the following command which specifies the section “Connection String” in the command:

  • Exporting RSA Key Container

We can use the -px switch to export RSA key container to XML file. We can use the XML file as a backup for the RSA key container or import the RSA key container on a different server. You can include the private key in your XML file by specifying the –pri option when exporting the key.

  • Importing and granting authority on servers

Alright. now that we have the RSA key container exported. we can now move it to the intended server. then import it using the following command:

after importing the container. we have to give authority to IIS AppPool (or Network service, or IUSR, depends on your configuration and use case):

Congratulations 🥳

Your web app is more secure and safe against attackers!

--

--

Suli Ahmed

Hi, I'm an information management officer with a focus on data management and data visualization. I enjoy learning, reading, and sharing knowledge.