Encrypt connection strings so other developers cannot decrypt, but the application still has access

Question

Encrypt connection strings so other developers cannot decrypt, but the application still has access

I have a database that I want to access through a .NET web application. I can encrypt the connection string in web.config quite easily, but any developer who has access to this mailbox can decrypt it with a few lines of code - they have access to this field, so they have access to the encryption key stored on the machine. configurations.

While I can block people from the database by denying access to their user accounts, it does not help that the web application has the notorious keys to the kingdom. Does anyone know a good way to allow a web application to access the database without using the SQL account used by the web application for experienced developers?

+1

.net encryption connection-string

ddavis Jun 01 '09 at 19:08

source share

6 answers

, , , , . ( "I" == )

( Unix, ACL Windows) , , ( ) . ( , XOR ...)

, , -.

+3

grawity 01 . '09 19:13

, .

( ) . ..

SSPI, , -. , sysadmin () web.config .

(, , ), /QA.

+2

David 01 . '09 19:25

, , , aspnet_setreg, , .

.:)

+1

Jonathan S. 01 . '09 19:21

.

, . , , , , .

- SQL-, oracle sybase, .

Web.Config ASP.NET 2.0 :

+1

Simon 22 . '10 9:58

, , , , .

, , .

DEL *. * ?

0

Joseph 01 . '09 19:21

Yann Schwartz · Accepted Answer · 2009-06-01T19:20:06+0000

This is a problem with chicken and egg. If your application has access to a secret (a key to encrypt your connection string), anyone who has the same rights as your application also has it.

- login/pwd SQL Server, (SSPI). , , Windows ( , ), - ( , login/pwd db , ), . , . , ( , , ).

, , ( ), .

, , , ( /dbo).

Encrypt connection strings so other developers cannot decrypt, but the application still has access

More articles: