This article demonstrates how you can use encrypted connection strings with Telerik OpenAccess ORM within your web applications.

After a web application is built and deployed to the IIS, the web.config’s ‘connectionStrings’ section can be encrypted. This can be done by using the ASP.NET Registration Tool (aspnet_regiis.exe).

See the following command executed on the command line (The command line needs to be started with administrative rights):

aspnet_regiis -pe "connectionStrings" -app "/YourWebsiteName"

After the command is executed, the connection strings in the web.config file of the specified website are encrypted. An example could look like this:

<?xml version="1.0"?>
 <configuration>
   <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
     <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
       xmlns="http://www.w3.org/2001/04/xmlenc#">
       <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
           <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
           <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
             <KeyName>Rsa Key</KeyName>
           </KeyInfo>
           <CipherData>
             <CipherValue>BJFIXhlw2AjlQrsIjUSa+Sh5QyAhtQL7GL2cfW0cHd1gnBUJoQAZH/DO8+5aer+XnKrq6dXRnwUgdb6G7HyiX7F0ToT8+KwnPCfFpKdb6d2EcdFqLisEbhwwMf1g4l1r+DT+vmIhBcpwpgJHhCBjqjaMvE+rbjbYu1G+7fTbpas=</CipherValue>
           </CipherData>
         </EncryptedKey>
       </KeyInfo>
       <CipherData>
         <CipherValue>7iEw3IbTMxy6rHrWqsWompJhBU3i8aX2hGqjdKhGlAYLmsHll6Eu/Z30Nme9xfcQlCB/a98+xp+Nu/cZFupM6QeIwZ0rzwwoj6WAoItOcdUuFixu8lrbOu79r1NIn1/LVIi+NzQZRcJbjwc0rsYapNywoSkySYGuL/8mSMW+Q2u4V6O8chu4EkvT+p3nBWshI1NJHGWR++K03a1/RbyGrYQ+mre+QIAl6Wg1ZwKeqEqkMUKb/4PBB6Rp9hhIs7yKak6odIfSitt3HRuMpGJzhzhA4itVhgRK+9xeR9FA7/Q7YhsOgqWh2w==</CipherValue>
       </CipherData>
     </EncryptedData>
   </connectionStrings
 </configuration>

When encrypting configuration entries, different encryption providers can be chosen or a custom provider can be used. By default Microsoft is offering two providers: ‘RsaProtectedConfigurationProvider’ and ‘DPAPIProtectedConfigurationProvider’. More details on providers can be found in the MSDN documentation.

In this case, the ‘RsaProtectedConfigurationProvider’ was used, which is also the default provider and no other provider was specified in the command before.

Once the web.config file is encrypted, the user which is defined as the user of the application pool, needs to get the rights to access the encryption keys needed by the ‘RsaProtectedConfigurationProvider’. In this example the user “NT AUTHORITY\NETWORK SERVICE” is defined as the application pool user. The grants to the encryption keys, in this case the ‘NetFrameworkConfigurationKey’, which is the key container specified for the default provider, can be given with the following command:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"

Now the configuration file is encrypted and the user defined in the application pool is allowed to use the keys needed by the respective provider. Now what needs to be done in the OpenAccess code? The answer is: Nothing! Everything works out of the box.

More details about how to encrypt configuration files, define custom providers and key management can be found in the respective MSDN documentation.

Click to download your free copy of OpenAccess


About the Author

Ralph Waldenmaier

 is Senior Software Developer in Telerik OpenAccess ORM

Related Posts

Comments

Comments are disabled in preview mode.