{"id":71932,"date":"2017-08-01T03:51:36","date_gmt":"2017-08-01T03:51:36","guid":{"rendered":"https:\/\/www.red-gate.com\/simple-talk\/?p=71932"},"modified":"2021-05-17T18:35:53","modified_gmt":"2021-05-17T18:35:53","slug":"encrypting-connection-strings-web-config","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/development\/dotnet-development\/encrypting-connection-strings-web-config\/","title":{"rendered":"Encrypting connection strings in web.config"},"content":{"rendered":"<p>Encrypting web.config elements is a good security feature. Web.Config elements can include passwords and important keys that we need to protect.Encrypting web.config elements is a good security feature. Web.Config elements can include passwords and important keys that we need to protect.<\/p>\n<p>There are several methods to encrypt the web.config:<\/p>\n<ul>\n<li>Using a command line statement<\/li>\n<li>Using .NET code<\/li>\n<li>Configuring the web deployment<\/li>\n<\/ul>\n<p>The easier solution, although limited, is configuring the web deployment. When we prepare the deployment of a web application, a file with PUBXML extension is included in the project. This file has the configuration for the application deployment in XML format.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-71933\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2017\/08\/EncWebConfig01.png\" alt=\"PUBXML file\" width=\"278\" height=\"285\" \/><\/p>\n<p>Using a single additional configuration we can we can ensure the encryption of the connection string in the production <strong>web.config<\/strong>:<\/p>\n<blockquote>\n<p><strong>&lt;MSDeployEnableWebConfigEncryptRule&gt;true&lt;\/MSDeployEnableWebConfigEncryptRule&gt;<\/strong><\/p>\n<\/blockquote>\n<p>There are two limitations to this approach:<\/p>\n<ul>\n<li>This statement only encrypts the <strong>connectionStrings<\/strong> element. If you need to encrypt other sections, such as <strong>appSetings<\/strong>, this statement will not solve the problem.<\/li>\n<li>If the connection strings are in a different file, not in the <strong>web.config<\/strong>, this configuration doesn&#8217;t work, it can&#8217;t encrypt the connection string in a different file than <strong>web.config\u00a0<\/strong><\/li>\n<\/ul>\n<p>The solution for these limitations would be an Exec element in the \u00a0<strong>PUBXML<\/strong> file to execute a command line statement after the deployment.<\/p>\n<p>For example, to encrypt the appSettings element we can use the following elements inside the PUBXML file:<\/p>\n<p>&nbsp;<\/p>\n<div style=\"background: #ffffff;overflow: auto;width: auto;border: solid gray;border-width: .1em .1em .1em .8em;padding: .2em .6em\">\n<div style=\"margin: 0;line-height: 125%\"><span style=\"color: #007700\">&lt;Target<\/span> <span style=\"color: #0000cc\">Name=<\/span><span style=\"background-color: #fff0f0\">&#8220;CustomPostPublishActions&#8221;<\/span> <span style=\"color: #0000cc\">AfterTargets=<\/span><span style=\"background-color: #fff0f0\">&#8220;MSDeployPublish&#8221;<\/span><span style=\"color: #007700\">&gt;<\/span><\/div>\n<div style=\"margin: 0;line-height: 125%\"><span style=\"color: #007700\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0&lt;Exec<\/span> <span style=\"color: #0000cc\">Command=<\/span><span style=\"background-color: #fff0f0\">&#8220;C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_regiis -pe appSettings -app \/webCustomers&#8221;<\/span> <span style=\"color: #007700\">\/&gt;<\/span><\/div>\n<div style=\"margin: 0;line-height: 125%\"><span style=\"color: #007700\">&lt;\/Target&gt;<\/span><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Encrypting web.config elements is a good security feature. Web.Config elements can include passwords and important keys that we need to protect.Encrypting web.config elements is a good security feature. Web.Config elements can include passwords and important keys that we need to protect. There are several methods to encrypt the web.config: Using a command line statement Using&#8230;&hellip;<\/p>\n","protected":false},"author":50808,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[143538,2],"tags":[],"coauthors":[],"class_list":["post-71932","post","type-post","status-publish","format-standard","hentry","category-dotnet-development","category-blogs"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/71932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/50808"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=71932"}],"version-history":[{"count":3,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/71932\/revisions"}],"predecessor-version":[{"id":71936,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/71932\/revisions\/71936"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=71932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=71932"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=71932"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=71932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}