ASP.NET: Encrypt Connection String on a Shared Host

February 14, 2007

It’s possible to encrypt a connection string stored in web.config on a shared host where you don’t have access to the command line. Just create an aspx page that toggles the encryption status of the connection string like this:

EncryptConfigConnectionString.aspx

 

1 <%@ Page Language=”VB” %>

2

3 <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”&gt;

4

5 <%@ Import Namespace=”System.Data.SqlClient” %>

6 <%@ Import Namespace=”System.Web.Configuration” %>

7

8 <script runat=”server”>

9

10 Protected Sub EncryptButton_Click(ByVal sender As Object, ByVal e As System.EventArgs)

11 Try

12 ‘ Open the configuration file and retrieve

13 ‘ the connectionStrings section.

14 Dim config As Configuration = WebConfigurationManager.OpenWebConfiguration(“~/”)

15

16 Dim section As ConnectionStringsSection = DirectCast( _

17 config.GetSection(“connectionStrings”), _

18 ConnectionStringsSection)

19

20 If section.SectionInformation.IsProtected Then

21 ‘ Remove encryption.

22 section.SectionInformation.UnprotectSection()

23 Else

24 ‘ Encrypt the section.

25 section.SectionInformation.ProtectSection( _

26 “DataProtectionConfigurationProvider”)

27 End If

28

29 ‘ Save the current configuration.

30 config.Save()

31

32 EncryptLabel.Text = “Protected=” & section.SectionInformation.IsProtected

33 EncryptLabel.ForeColor = Drawing.Color.Green

34

35 Catch ex As Exception

36 EncryptLabel.Text = ex.Message & ” (You might need to impersonate an account with permissions to update the web.config file)”

37 EncryptLabel.ForeColor = Drawing.Color.Red

38 End Try

39 End Sub

40

41 </script>

42

43 <html xmlns=”http://www.w3.org/1999/xhtml”&gt;

44 <head id=”Head1″ runat=”server”>

45 <title>Manage Connection String</title>

46 </head>

47 <body>

48 <p>

49 This form will toggle the encryption of the Connection String in the web.config file.<br />

50 In order for it to run, you must first have ASP.NET <a href=”http://aspnet.4guysfromrolla.com/articles/041002-1.aspx”&gt;impersonate the owner user</a> by changing<br />

51 the configuration setting \configuration\system.web\identity in web.config.

52 </p>

53 <form id=”form1″ runat=”server”>

54 <asp:Button ID=”EncryptButton” runat=”server” Text=”Toggle Encryption” OnClick=”EncryptButton_Click” /><br />

55 <asp:Label ID=”EncryptLabel” runat=”server” Text=””></asp:Label><br />

56 </form>

57 </body>

58 </html>

But before you can use this to toggle the encryption of your connection string you must temporarily let the page run with your account’s permissions. To do this, add the following <identity impersonate … /> to your system.web section of your web.config.  Don’t forget to remove this tag when you are finished!

web.config

 

24 <system.web>

25 <!– The following is necessary when programmatically changing encrypted connectionStrings –>

26 <identity impersonate=true userName=userName password=password />

Leave a Comment » | asp.net | Permalink
Posted by David Johnson