What is the best practice for storing keys, and or passwords for a website. These keys are for various 3rd party web services. Is it best to have them in the Web.config file, or in the database, or encrypted somehow?
+3
A:
You can store the encrypted values in the .config file, and ASP.NET 2.0 will decrypt them on the fly.
Your configuration would look something like:
<configSections>
<section
name="sampleSection"
type="System.Configuration.SingleTagSectionHandler"
/>
</configSections>
<MySecrets
FavoriteMusic="Disco"
FavoriteLanguage="COBOL"
DreamJob="Dancing in the opening ceremonies of the Olympics"
/>
and then you run the following from a command line, in the same directory as your config file:
aspnet_regiis -pef MySecrets .
From K. Scott Allen:
http://odetocode.com/Blogs/scott/archive/2006/01/08/2707.aspx
defeated
2008-10-13 19:56:38
+1
A:
Depends on how often the values change. If they will never change then I would keep them in your source code.
I would stay away from storing data that changes in the Web.Config because changing it forces a restart of the App pool.
My vote would be to store them, encrypted, in the database and provide an easy way for the values to be changed (e.g. store values in the cache and refresh them when they are altered by a user).
Jared
2008-10-13 19:59:59