Secure methods of storing keys, passwords for asp.

2019-07-12 18:17发布

问题:

What is the best practice for storing keys, and or passwords for a website. These keys are for various 3rd party web services. Is it best to have them in the Web.config file, or in the database, or encrypted somehow?

回答1:

Assuming your database isn't accessible from the outside world or that you have it properly locked down that would be the preferred way to store the keys. This allows all of your applications to pull from the same store of keys/passwords making changes very quick and easy.



回答2:

You can store the encrypted values in the .config file, and ASP.NET 2.0 will decrypt them on the fly.

Your configuration would look something like:

<configSections>
   <section 
      name="sampleSection" 
      type="System.Configuration.SingleTagSectionHandler" 
   />
</configSections>

<MySecrets
   FavoriteMusic="Disco" 
   FavoriteLanguage="COBOL" 
   DreamJob="Dancing in the opening ceremonies of the Olympics" 
/>

and then you run the following from a command line, in the same directory as your config file:

aspnet_regiis -pef MySecrets .

From K. Scott Allen:

http://odetocode.com/Blogs/scott/archive/2006/01/08/2707.aspx



回答3:

Depends on how often the values change. If they will never change then I would keep them in your source code.

I would stay away from storing data that changes in the Web.Config because changing it forces a restart of the App pool.

My vote would be to store them, encrypted, in the database and provide an easy way for the values to be changed (e.g. store values in the cache and refresh them when they are altered by a user).



标签: security