ASP.NET连接字符串加密/保护
[英]ASP.NET Connection String Encryption / Protection
问题描述
在ASP.NET中保护/加密连接字符串的最佳做法是什么,而不仅仅是在Web.Config中以纯文本形式存储
4 个解决方案
解决方案1
4 已采纳 2009-04-17 15:02:59
看看在.NET中以编程方式加密配置文件 ,它似乎涵盖了这一点。
解决方案2
3 2009-04-17 15:03:45
You can set this section to be encrypted . 
您可以将此部分设置为加密 。
However, that default encryption has pitfalls pointed out by others. 但是,默认加密存在其他人指出的陷阱。 You can also set your connection strings section to point to an external file, and that external file will work in concert with encryption. 您还可以将连接字符串部分设置为指向外部文件,该外部文件将与加密协同工作。 That should solve most concerns, because the sysadmin can set up encryption there without breaking anything else in the developer's web.config and a devloper can deploy changes to the config without undoing the sysadmin's encryption. 这应该解决大多数问题,因为系统管理员可以在那里设置加密,而不会破坏开发人员的web.config中的任何其他内容,并且devloper可以在不撤消sysadmin加密的情况下部署对配置的更改。
解决方案3
1 2009-04-17 15:03:23
Web.Config has built in support for encrypting connection strings (and other data), but this does have some overhead because the encryption is tied to the server, so the encryption must be set up by a server admin and not the developer. Web.Config内置支持加密连接字符串(和其他数据),但这确实有一些开销,因为加密与服务器绑定,因此加密必须由服务器管理员而不是开发人员设置。
you could also encrypt manually, with the encryption routine in your source. 您也可以使用源中的加密例程手动加密。
Why are you encrypting? 你为什么要加密? Who are you protecting from? 你是谁在保护自己? Hackers getting access to the web config? 黑客可以访问Web配置? Developers that shouldnt know the prod connection string? 不知道prod连接字符串的开发人员? The reasons behind the encryption will change the solution somewhat. 加密背后的原因会稍微改变解决方案。
解决方案4
0 2009-04-17 15:05:56
Best Practice is to use Windows Authentication (with the caveat on connection pooling). 最佳实践是使用Windows身份验证(有关连接池的警告)。
Failing that, encrypting connection strings is good practice: Keeping secrets in ASP.NET 2.0. 如果做不到这一点,加密连接字符串是一种很好的做法: 在ASP.NET 2.0中保守秘密。
Note: basic approach does not work with web farms. 注意:基本方法不适用于Web场。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.