在Asp.net MVC中保护连接字符串

Question

I have An Asp.net MVC Application With VS.Net2013 in my webconfige file i have connection string Section like this:

 <connectionStrings>
    <add name="ConnectStrNL" connectionString="server=192.168.0.71\ins1;database=FNHProvider;MultipleActiveResultSets=true;persist  security info=True;User ID=general;Password=123;" />
    <add name="connectionStringGeneral" connectionString="server=192.168.0.254;database=NFS;MultipleActiveResultSets=true;persist security info=True;User ID=General;Password=*******;" />
</connectionStrings>

i wanted to Hide User And Pass Of Databases From Every one. and also i have limitation not to use this method (aspnet_regiis.exe -site "EncryptDemo" -app "/" -pe "connectionStrings")

Answer 1

There are 2 basic things that you can do if you don't want your password to be in the configuration file:

1. Use Windows authentication. This should always be you preferred approach unless there are some reasons why you cannot use Windows authentication and you are forced to use SQL authentication

2. Encrypt the connection string. Since you cannot use aspnet_regiis_exe , as you mentioned in the question, you can encrypt the section from the code. The below code should be run once at the start of the application:

    using System.Web.Configuration; using System.Web.Security; using System.Configuration; public void EncryptConnString() { Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath); ConfigurationSection section = config.GetSection("connectionStrings"); if (!section.SectionInformation.IsProtected) { section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider"); config.Save(); } } 

The code was taken from this site , you can find more information there.