Web.config encryption for websites

Question

Web.config encryption for websites

I already found information on how to encrypt web.config using a custom provider and certificate for web roles to protect connection strings and other settings.

Is this also possible for websites? If not, how can I protect my connection string for websites? I know that I can manage the connection chains on the azure portal, but they are also stored in clear text. Therefore, if someone gets access to web.config or azure control, he will be able to read all the data.

See also:

http://www.heikniemi.net/hardcoded/2013/06/encrypting-connection-strings-in-windows-azure-web-applications/comment-page-1/#comment-173488

http://blogs.msdn.com/b/sqlazure/archive/2010/09/10/10060395.aspx

+6

web-config azure connection-string

user2500771 Jun 19 '13 at 10:58

source share

1 answer

Simon gurevich · Answer 1 · 2014-07-26T18:49:52+0000

Save the key-value string pairs (connection strings and other secrets) in the Azure website configuration information. This sensitive information never appears in plain text in the web.config file.

http://azure.microsoft.com/blog/2013/07/17/windows-azure-web-sites-how-application-strings-and-connection-strings-work/

This should be safe enough - if the azure admin credentials are compromised, you lose everything, not just the connection strings - an attacker can simply use remote website debugs to get any information by stepping over the program, even if you had an encryption method / decrypt connection strings.

-Simon.

Web.config encryption for websites

More articles: