tags:

views:

1859

answers:

3
+4  Q: 

Encrypting appSettings in web.config

I am developing a web app which requires a username and password to be stored in the web.Config, it also refers to some URLs which will be requested by the web app itself and never the client.

I know the .Net framework will not allow a web.config file to be served, however I still think its bad practice to leave this sort of information in plain text.

Everything I have read so far requires me to use a command line switch or to store values in the registry of the server. I have access to neither of these as the host is online and I have only FTP and Control Panel (helm) access.

Can anyone recommend any good, free encryption DLL's or methods which I can use? I'd rather not develop my own!

Thanks for the feedback so far guys but I am not able to issue commands and and not able to edit the registry. Its going to have to be an encryption util/helper but just wondering which one!

+12  A: 

EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.

Sample on codeproject:

Encryption of Connection Strings inside the Web.config in ASP.Net 2.0

aku  2008-09-10 14:33:39
Aku,unfortunately those links refer to the command line, I am unable to use those as we do not have direct access to the command line. If I were to encrypt it on my own machine and then deploy it to the server it will not work as the key will not exist/be different
Mauro  2008-09-10 14:37:15
A: 

Use aspnet_setreg.exe http://support.microsoft.com/kb/329290

Robert S.  2008-09-10 14:36:56
A: 

You could use something like the following to encrypt the values:

Using System.Security.Cryptography;

...

private string EncodeSomething(string something)
{
     Byte[] originalBytes;
     Byte[] encodedBytes;
     MD5 md5;
     md5 = new MD5CryptoServiceProvider();
     originalBytes = ASCIIEncoding.Default.GetBytes(something);
     encodedBytes = md5.ComputeHash(originalBytes);
     //convert the encrypted bytes back to a string (base16)
     string hashString = "";
     for(int i = 0; i < encodedBytes.Length; i++)
     {
          hashString += Convert.ToString(encodedBytes[i], 16).PadLeft(2,'0');
     }
     return hashString.PadLeft(32,'0');
}

*disclaimer - I didn't write this and I can't recall where I pulled the sample code from to give proper credit.

**edit: leaving this here but I like aku's answer better :)

Chuck  2008-09-10 14:44:05
You're using a hash algorithm. When you use a hash, there is no way to decrypt the data; it's a one-way transform.
Simon Johnson  2008-09-13 10:58:15
I realize that, should have pointed it out in my original post.
Chuck  2008-09-15 14:00:31

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security