How to protect your Connection Strings
Question: "How to protect and secure the connection strings?"
Answer:
"It is recommended that store your database connection strings in the Web.config file and encrypt the connection strings. In the .NET Framework 2.0, you have the option to enable the configuration encryption in the <protectedData> section in the web.config file.
For example:
<protectedData>
<protectedDataSections>
<add name="connectionStrings" provider="RSAProtectedConfigurationProvider"/>
</protectedDataSections>
</protectedData>
There are two predefined providers that you can find in the .NET Framework 2.0:
1. DPAPIProtectedConfigurationProvider: It uses the Windows data protection API (DPAPI) to encrypt and decrypt configuration data.
2. RSAProtectedConfigurationProvider: It uses RSA encryption to encrypt and decrypt configuration data
Both the RSA and DPAPI providers are good options for you to encrypt the sensitive data.
However, DPAPI is not recommended to proctect sections in a web farm scenario. This is because the same encrypted web.config file will be deployed to all the machines. What you can do here is to manually encrypt the web.config files on each machine or copy the same container key to the machines.
To create a key container: aspnet_regiis.exe -pc YourContainerName -exp
Export to an XML file: aspnet_regiis.exe -px YourContainerName YourXmlFile.xml
Move the XML file to other machin: aspnet_regiis.exe -pi YourContainerName YourXmFile.xml
Here is an article discussed on the Encrypting Connection Strings in Web.config. https://www.ondotnet.com/pub/a/dotnet/2005/02/15/encryptingconnstring.html "