All geek questions in one place

Web.config encryption in web farm

Guys, I don’t know if this question has been asked before or not. But I want to encrypt the connection strings in my web.config. And my application will be deployed in a web farm.

I tried reading some blogs about this, but got confused. Can someone tell me the link they really tried and achieved.

+4
source share
3 answers

We use a secure RSA configuration provider . This page is not an easy read, but it got what you need.

I recommend the following command (example from the article):

aspnet_regiis.exe -pef "connectionStrings" C: \ Projects \ MachineRSA

+2
source

You may have considered this, but if not: RSAProtectedConfigurationProvider can use keys at the computer level or user level for encryption. The default is machine level. This means that you cannot encrypt your web.config once and deploy it to all the machines in the web farm. You must encrypt it on each machine, since the key for encryption and decryption only exists on this machine.

You can work around this problem by using a user-level key or by exchanging the key on all machines of web farms:

+2
source

Before encrypting connection strings, think about what you are trying to protect by encrypting them. Your application will need access to the plaintext connection string in order, and therefore access to the key will be required. Thus, an attacker who compromises your ASP.Net application is most likely able to steal a key and a secure connection string. Therefore, encryption does not really bring much benefit.

Instead of encryption, focus on how this file is handled by operations personnel and file permissions that are used in production. Allow read-only access to the ASP.Net work pool account in which your application runs.

+1
source

Source: https://habr.com/ru/post/1286018/

More articles:


All Articles