What is the proper method for encrypting ASP.NET connetionStrings?

Question

I\'ve been looking through several examples of encrypting connectionStrings (Web.config) in an ASP.NET MVC application (.NET 4.0) and it seems that there are two general ways to

Answer 1

The easiest way with the shared hoster is probably going to be to write your own encrypt/decrypt utility and store the connection string either in app settings, custom XML file, or text file, so that you have full control over the encryption/decryption process...

Per your update, you can get the current request via:

new HttpRequestWrapper(System.Web.HttpContext.Current.Request);

HTH.

Answer 2

Get ConnectionString from Web.config File

Before starting how to read or get connectionstring from web.config file, you should know how to get connection string to connect your database from here that will show you also the difference why I’ve not used user id and password in my connection string. After knowing that, you can adjust your connection string in web.config as follows.

<connectionStrings>
   <add name="myDbConnection" providerName="System.Data.SqlClient"
   connectionString="Data Source=myServer;Integrated Security=true;Initial Catalog=myDatabase"/>
</connectionStrings>

To read or get connectionstring from web.config file in asp.net, we need to add System.Configuration namespace that will help us to read our connection string.

Note: If you have defined your connection string under appSettings section, you can get your connectionstring from appSettings section this way. Read Connectionstring in C#

protected void Page_Load(object sender, EventArgs e)
{
       string con = System.Configuration.ConfigurationManager.ConnectionStrings["myDbConnection"].ConnectionString;
}

Read Connectionstring in Vb.net

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
       Dim con As String = System.Configuration.ConfigurationManager.ConnectionStrings("myDbConnection").ConnectionString
End Sub

Example: Simple Insert, Update and Delete in Asp.net You may also like insert, update and delete on asp.net gridview here. That’s it, now you’ll be able get connectionstring from web.config file and can use wherever you want.

You can read more on asp.net via http://www.aspneto.com/category/aspnet/

Answer 3

I've come up with a solution of my own, but I'm hoping that there is a better way to do it:

internal static class SecurityExtension
{
    public static string GetConnetionString(this Configuration config, string databaseName, string provider = "RSAProtectedConfigurationProvider")
    {
        string sectionName = "connectionStrings";
        ConfigurationSection section = config.GetSection(sectionName);
        if (section != null && !section.SectionInformation.IsProtected)
        {
            section.SectionInformation.ProtectSection(provider);
            config.Save();
        }

        return WebConfigurationManager.ConnectionStrings[databaseName].ConnectionString;
    }
}

Now I just have to use the extension every time I want to get the configuration string:

Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
string connectionString = config.GetConnetionString("MyDatabaseName");

Update:
Thanks to Brian, we can statically get the connection string:

private static HttpRequestWrapper request = new HttpRequestWrapper(System.Web.HttpContext.Current.Request);
private static Configuration config = WebConfigurationManager.OpenWebConfiguration(request.ApplicationPath);
private static string connectionString = config.GetConnetionString("MyDatabaseName"));

Of course you would not want to store the connection string like that, instead you would just use it to initialize your DataContext or use it for whatever else you need.