Encrypt and store password in web.config file

2019-07-02 01:52发布

问题:

I have the following information in my web.config file.

<appSettings>
<add key="AdminUsername" value="User1"/>
<add key="AdminPassword" value="Password1"/>
</appSettings>

how do I encrypt it and store? how do I decrypt and use?

回答1:

Kindly refer to the article - http://msdn.microsoft.com/en-us/library/k6h9cz8h%28v=vs.80%29.aspx

The command is:

aspnet_regiis.exe -pe "appSettings" -site "MySharePoint" -app "/"

where MySharePoint is a Virtual Directory. The web.config file should be inside the directory too.



回答2:

The drawback of encrypting configuration sections using aspnet_regiis or the equivalent APIs is that it encrypts entire sections.

Good from a security perspective, but it makes it more difficult for an administrator to inspect other non-sensitive configuration data in the same section. appSettings is a section which an administrator will often want to inspect.

One option is to put your credentials in a different section (e.g. create a dummy connection string in the <connectionStrings> section) and encrypt only this section:

<connectionStrings>
   ...
   <add key="AdminCredentials" 
        providerName="" 
        connectionString="Username=...;Password=..." />
</connectionStrings>

You will of course have to write code to parse the dummy connection string (String.Split) and extract the credentials. Something like the following (omitting error handling for simplicity):

string s = ConfigurationManager.ConnectionStrings["AdminCredentials"].ConnectionString;
string[] tokens = s.Split(';');
string userName = tokens[0].Split('=')[1];
string password = tokens[1].Split('=')[1];
...

By doing this, you can leave your appSettings section unencrypted.