http://weblogs.asp.net/owscott/archive/2005/07/29/Encrypting-the-connection-string-in-ASP.NET-V2.0.aspxASP.Net V2.0 has much improved encryption over v1.x including the ability to encrypt any part of the connection string. Of course there is some performance overhead to do this so only sections that have sensitive information should be encrypted. I reallyenCommunityServer 2007 SP1 (Build: 20510.895)http://weblogs.asp.net/owscott/archive/2005/07/29/Encrypting-the-connection-string-in-ASP.NET-V2.0.aspx#2182657Thu, 05 Apr 2007 14:37:51 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:2182657dondon<p>Mr.Simplistic:</p> <p>You have a point but wouldn't that require write access to the directory where looking at a web.config to get an unencrypted connection string would only require read access. </p> <p>Also, if you are using source control and have an unencrypted connection string in your web.config then someone only needs to view the checked in source to get the info.</p> <p>I think it is not a solution to the entire problem, just common sense. Like locking a door is a good idea even if it won't stop a serious thief.</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=2182657" width="1" height="1">http://weblogs.asp.net/owscott/archive/2005/07/29/Encrypting-the-connection-string-in-ASP.NET-V2.0.aspx#1865569Fri, 02 Mar 2007 13:44:43 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:1865569FlureFlure<p>Hello,</p> <p><a rel="nofollow" target="_new" href="http://wavefrontguidedlasik.site.cx">http://wavefrontguidedlasik.site.cx</a></p> <p>Thanks ;) Good luck!!!</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=1865569" width="1" height="1">http://weblogs.asp.net/owscott/archive/2005/07/29/Encrypting-the-connection-string-in-ASP.NET-V2.0.aspx#1263197Mon, 18 Dec 2006 06:47:33 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:1263197abhishekabhishek<p>i have create a connection string in asp.net but i required it reflect in all the pages what can i do</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=1263197" width="1" height="1">http://weblogs.asp.net/owscott/archive/2005/07/29/Encrypting-the-connection-string-in-ASP.NET-V2.0.aspx#808740Sat, 04 Nov 2006 01:59:42 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:808740Cyril 's BlogCyril 's Blog<p>Les fichiers de configuration d'une application .net est un fichier XML donc lisible et compr&#233;hensible</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=808740" width="1" height="1">http://weblogs.asp.net/owscott/archive/2005/07/29/Encrypting-the-connection-string-in-ASP.NET-V2.0.aspx#476109Tue, 22 Aug 2006 14:57:02 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:476109Visual Studio 2005/SQL Server 2005 Community Launch EventVisual Studio 2005/SQL Server 2005 Community Launch Event<p>Just a few more notes on encrypting parts of web.config: 1.0/1.1 through hotfix: <a rel="nofollow" target="_new" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;3292902.0:http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToEncryptConfigurationSectionsUsingRsaInAspNet20?diff=ysee">http://support.microsoft.com/default.aspx?scid=kb;en-us;3292902.0:http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToEncryptConfigurationSectionsUsingRsaInAspNet20?diff=ysee</a>..</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=476109" width="1" height="1">http://weblogs.asp.net/owscott/archive/2005/07/29/Encrypting-the-connection-string-in-ASP.NET-V2.0.aspx#472890Sun, 20 Aug 2006 05:51:46 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:472890Mr.SimplisticMr.Simplistic<p>This is probably going to be a very silly question as I am still learning / not quite up to speed with the encryption side of things, but...</p> <p>As I understand, the whole point of encrypting web.config sections (including connection strings) is to avoid having a plain-text password &quot;exposed&quot;, should someone gains file access to the application directory.</p> <p>However, couldn't that someone simply put an aspx page to display connection string in plain text after getting the system to decrypt it, regardless of where any of the keys are stored?</p> <p>The only way I can see this being avoided is hard-coding an entropy of some kind, using custom decryption - e.g. at logon authentication, manually accessing the database or creating a custom role and memebership providers with manual interaction with database...</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=472890" width="1" height="1">