When we use Sql authentication to connect to database it will be better if we encrypt and decrypt the connection string for security purpose because the userid and password are specified in clear text. Even though, users can't access web.config file, it is still not safe because the server admins can still see the userid and password from web.config files. For example, in shared hosting environments. So, it will be better if we encrypt the connection string in web.config file in these scenarios.
Understanding this need, Microsoft introduced a new technique to encrypt and decrypt the Web.Config sections in Asp.Net 2.0.
ASP.Net 2.0 has 2 providers for encrypting and decrypting config sections, RSA(RSAProtectedConfigurationProvider) and DPAPI(DataProtectionConfigurationProvider)
To encrypt a connection string section,
protected void btnEncrypt_Click(object sender, EventArgs e)
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
config.Save();
}
}
To use RSA algorithm, use RSAProtectedConfigurationProvider in the place of DataProtectionConfigurationProvider in the above code snippet.
This is how the connection string section will look like once encrypted,
<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAkNndGkx6M06QQFz+
eH4CEgQAAAACAAAAAAADZgAAqAAAABAAAABnbufC7mjGVvEtpmFPMqb8AA
AAAASAAACgAAAAEAAAAE/T9z3T5oBv2fMob6hZJsCYAQAAwjp5wFWl7ppY
zHmMSSQPsIoLGnmlVTIPdcldbx3ZvWQwyr6GWCZPd0PmQG5AGX2XfRqGSazdWgWn
1vnCV1u67Lfaf5Be4BABIT2SB+gXcjA3MCaqNvK4PICPNk4s662xPIrCycBv+Vl5ug
TS7zstqVSLhFqAVs7DKNmUoWFSa+6RvtyrdK57Uh4wyP0WdD/doAVByLJjQ8RVKVWm
IyFmi8iQiACVQPgNOGMKRVuchxpc6fiARnyTuMrQ6ZWS15f2G/vwLg9Q/7QBWOpKh4t
LOeoFJX/m+l+9sCD1dJ2Jb/orKg2Nh1aUjfjqnkNZG1jY9JUDLhxGOx8tsPP75VlIw
OqsgNOdojP8BiXJsrDfPhp/BKmV6dgZEvOh2HBkt4x2y0fb9CDlvI/F28lVQGw741If
0P34UTBVZxbe6ka1075rlbXNSCjd33U+mx2ZNk7PG/c8HK6bql5ILM/sxO0wjUP68F
wK2s3CadKzaki9eeTiIE9uGnlctq9Chb2f2E1uwnrefd856BzTK8eOGxTTbF8PU9uFp
Hc1FAAAAMFZTg7MFHHeRLFM9s6ZJ1uBuOkr</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
The connection string can be still accessed in code by regular ways,
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["Sql"].ConnectionString);
To see back the original connection string we need to decrypt it.
To decrypt a connection string section,
protected void btnDecrypt_Click(object sender, EventArgs e)
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
config.Save();
}
}
引用: http://www.codedigest.com/CodeDigest/107-Encrypting-Decrypting-Connection-String-in-ASP-Net.aspx