views:

1859

answers:

3

I am developing a web app which requires a username and password to be stored in the web.Config, it also refers to some URLs which will be requested by the web app itself and never the client.

I know the .Net framework will not allow a web.config file to be served, however I still think its bad practice to leave this sort of information in plain text.

Everything I have read so far requires me to use a command line switch or to store values in the registry of the server. I have access to neither of these as the host is online and I have only FTP and Control Panel (helm) access.

Can anyone recommend any good, free encryption DLL's or methods which I can use? I'd rather not develop my own!

Thanks for the feedback so far guys but I am not able to issue commands and and not able to edit the registry. Its going to have to be an encryption util/helper but just wondering which one!

+12  A: 

EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.

Sample on codeproject:

Encryption of Connection Strings inside the Web.config in ASP.Net 2.0

aku
Aku,unfortunately those links refer to the command line, I am unable to use those as we do not have direct access to the command line. If I were to encrypt it on my own machine and then deploy it to the server it will not work as the key will not exist/be different
Mauro
A: 

Use aspnet_setreg.exe http://support.microsoft.com/kb/329290

Robert S.
A: 

You could use something like the following to encrypt the values:

Using System.Security.Cryptography;

...

private string EncodeSomething(string something)
{
     Byte[] originalBytes;
     Byte[] encodedBytes;
     MD5 md5;
     md5 = new MD5CryptoServiceProvider();
     originalBytes = ASCIIEncoding.Default.GetBytes(something);
     encodedBytes = md5.ComputeHash(originalBytes);
     //convert the encrypted bytes back to a string (base16)
     string hashString = "";
     for(int i = 0; i < encodedBytes.Length; i++)
     {
          hashString += Convert.ToString(encodedBytes[i], 16).PadLeft(2,'0');
     }
     return hashString.PadLeft(32,'0');
}

*disclaimer - I didn't write this and I can't recall where I pulled the sample code from to give proper credit.

**edit: leaving this here but I like aku's answer better :)

Chuck
You're using a hash algorithm. When you use a hash, there is no way to decrypt the data; it's a one-way transform.
Simon Johnson
I realize that, should have pointed it out in my original post.
Chuck