When you get a client who is more technical ,then it accentuate on safety of his critical data. Recently I faced such type of client. When my client went through publish asp.net project on server and he found that our db password inside web.config ‘s connection string , and expressed his concern for it safety of db password. so he suggested me not to placed in web.config moreover he asked me to hardcoded that password in my asp.net code and obfuscate that dll..!!.
But this is rubbish idea..!!, so I have used technique to encrypt some part of configuration section of web.config using Aspnet_regiis.exe tool to encrypt sections(in my case i did only connectionstring) of my project’s web.config.
microsoft .net framework by default provides following protected configuration provider
I have implemented RsaProtectedConfigurationProvider for my project,
I have done only connection-string encryption, as this encryption will increase the some overhead in asp.net application system hence it may affect the performance of our application. so microsoft suggested to do only those section which are more concern with security. so in my case I will do encryption for only connection string section.
before encryption my connection string was something like this ..
Then I have run following command to encrypt my connection string
And I got following changes in my web.config
I hope you like this trick which is available since .net framework 2.0 to encrypt your certain data in webconfig