{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 干净又极端 的问题《Encrypting appSettings in web.config》','https://www.manongdao.com/q-1170205.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am developing a web app which requires a username and password to be stored in the web.Config, it also refers to some URLs which will be requested by the web app itself and never the client.
I know the .Net framework will not allow a web.config file to be served, however I still think its bad practice to leave this sort of information in plain text.
Everything I have read so far requires me to use a command line switch or to store values in the registry of the server. I have access to neither of these as the host is online and I have only FTP and Control Panel (helm) access.
Can anyone recommend any good, free encryption DLL's or methods which I can use? I'd rather not develop my own!
Thanks for the feedback so far guys but I am not able to issue commands and and not able to edit the registry. Its going to have to be an encryption util/helper but just wondering which one!
Use aspnet_setreg.exe http://support.microsoft.com/kb/329290
EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.
Sample on codeproject:
Encryption of Connection Strings inside the Web.config in ASP.Net 2.0
While on the first glance it seems to be straightforward, there are a couple of hurdles I encountered.
So I am providing steps that worked fine for me (to encrypt the appSettings section) using the default crypto provider:
Encrypt sections in the web.config:
C:which is assumed for the steps below.Further assumed is that the application is deployed on
D:\Apps\myApp- replace this by the path you're using in step 3.cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319", on 32 bit Windows systems useFrameworkinstead ofFramework64cd /D "D:\Apps\myApp"Note: The
/Dswitch will change the drive automatically if it is different from your current drive. Here it will change the path and drive, so the current directory will beD:\Apps\myAppafterwards.c:aspnet_regiis -pef appConfig .You should see this message:
You can also Decrypt sections in the web.config: These are the same steps, but with option
-pdfinstead of-peffor aspnet_regiis.It is also possible to encrypt other sections of your web.config, for example you can encrypt the connection strings section via:
More details about that can be found here.
Note: The encryption above is transparent to your web application, i.e. your web application doesn't recognize that the settings are encrypted.
You can also choose to use non-transparent encryption, for example by using Microsoft's DPAPI or by using AES along with the Framework's AES Class.
How it is done with DPAPI I have described here at Stackoverflow. DPAPI works very similar in a sense that it uses the machine's or user credential's keys. Generally, non-transparent encryption gives you more control, for instance you can add a SALT, or you can use a key based on a user's passphrase. If you want to know more about how to generate a key from a passphrase, look here.