It'll only work on entire configuration sections though, so you'd have the encrypt everything in appSettings. Might be worth doing it as part of the deployment process though if you can't use a trusted connection (I don't like storing db passwords in plain text either - even in web.config).
No there is no way to do an encrypted connection string without modifying the core.
If you're worried about storing a password then generate a unique one per Umbraco instance, make it like 20 characters, and then create a user just for that db.
If you properly secure your DB then you shouldn't really need to worry about having an encrypted connection string.
You could always use Windows Authtentication. That means that you wouldn't need to have a password in the Web.Config at all. If you create an Application Pool in IIS, set it up to run as a Windows User that has access to the database, then add the Umbraco system to run in that application pool, you can use a database connection string like: data source=localhost;initial catalog=Umbraco;integrated security=True and the system will work fine.
To be honest, the installation screen threw me a bit the first time I saw Umbraco since I always disable username / password authentication in SQL Server (it's considered bad security practice to use it in most Windows development organisations).
Encrypt db password in web.config
Is it possible to encrypt the password in the web.config under appSettings key umbracoDbDSN without making a core change?
Regards
Ismail
Hey Ismail,
As far as I'm aware, it's not possible with the appSettings ... as you say, not without modifying the core. :-(
- Lee
Hey Ismail,
Assuming nothing has changed, Dirk answered this a while ago:
http://our.umbraco.org/forum/core/general/6265-umbracoDbDSN---encrypted-connection-string
So looks like it's a no.
Matt
Thats a bit disappointing, I always felt a bit uneasy having the password so plainly visible...
You could always just use the aspnet_regiis tool:
http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
It'll only work on entire configuration sections though, so you'd have the encrypt everything in appSettings. Might be worth doing it as part of the deployment process though if you can't use a trusted connection (I don't like storing db passwords in plain text either - even in web.config).
No there is no way to do an encrypted connection string without modifying the core.
If you're worried about storing a password then generate a unique one per Umbraco instance, make it like 20 characters, and then create a user just for that db.
If you properly secure your DB then you shouldn't really need to worry about having an encrypted connection string.
Hi Ismail,
You can use .NET aspnet_regiis tool to encrypt or decrypt sections of web.config file.
Check out following links
http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
You could always use Windows Authtentication. That means that you wouldn't need to have a password in the Web.Config at all. If you create an Application Pool in IIS, set it up to run as a Windows User that has access to the database, then add the Umbraco system to run in that application pool, you can use a database connection string like: data source=localhost;initial catalog=Umbraco;integrated security=True and the system will work fine.
To be honest, the installation screen threw me a bit the first time I saw Umbraco since I always disable username / password authentication in SQL Server (it's considered bad security practice to use it in most Windows development organisations).
cheers adrian.
Regards
Ismail
is working on a reply...