Encrypt and store password in web.config file

I have the following information in my web.config file.

<appSettings>
<add key="AdminUsername" value="User1"/>
<add key="AdminPassword" value="Password1"/>
</appSettings>

how do I encrypt it and store? how do I decrypt and use?

标签： c# asp.net web-config web-config-encryption

2条回答

趁早两清

2楼-- · 2019-07-02 01:55

Kindly refer to the article - http://msdn.microsoft.com/en-us/library/k6h9cz8h%28v=vs.80%29.aspx

The command is:

aspnet_regiis.exe -pe "appSettings" -site "MySharePoint" -app "/"

where MySharePoint is a Virtual Directory. The web.config file should be inside the directory too.

0人赞添加讨论(0) 举报

在下西门庆

3楼-- · 2019-07-02 01:55

The drawback of encrypting configuration sections using aspnet_regiis or the equivalent APIs is that it encrypts entire sections.

Good from a security perspective, but it makes it more difficult for an administrator to inspect other non-sensitive configuration data in the same section. appSettings is a section which an administrator will often want to inspect.

One option is to put your credentials in a different section (e.g. create a dummy connection string in the <connectionStrings> section) and encrypt only this section:

<connectionStrings>
   ...
   <add key="AdminCredentials" 
        providerName="" 
        connectionString="Username=...;Password=..." />
</connectionStrings>

You will of course have to write code to parse the dummy connection string (String.Split) and extract the credentials. Something like the following (omitting error handling for simplicity):

string s = ConfigurationManager.ConnectionStrings["AdminCredentials"].ConnectionString;
string[] tokens = s.Split(';');
string userName = tokens[0].Split('=')[1];
string password = tokens[1].Split('=')[1];
...

By doing this, you can leave your appSettings section unencrypted.

0人赞添加讨论(0) 举报

Encrypt and store password in web.config file

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间