Geeks With Blogs
Jeroen Bourdeaud'hui web application developer

A couple of years ago, I used 'something' to encrypt the connectionstring on a production server. But I never wrote anything down about it. And in the other projects I did later, I never had deploy to the production server. 

Yesterday, I had to use it again but I couldn't find it. Why? Because I never wrote about it. This blogpost is copy of Chirag Darji post about the encryption of the connectionstring in web.config. All credits to him!


The most sensitive information stored in web.config file can be the connection string. You do not want to disclose the information related to your database to all the users where the application is deployed. Every time it is not possible to have a private machine for your sites, you may need to deploy the site in shared host environment. To encrypt the connection string in above situation is advisable.

ASP.NET 2.0 provides in built functionality to encrypt few sections of web.config file. The task can be completed using Aspnet_regiis.exe. Below is the web.config file and <connectionStrings> section.   

	<add name="cn1" connectionstring="Server=DB SERVER;

Fig – (1) Connection string section of web.config file

     To encrypt the connection string section follow the steps,

1. Go to Start - Programm Files -> Microsoft Visual Studio 2005 -> Visual Tools
    -> Microsoft Visual Studio 2005 Command Prompt

2. Type following command,

    aspnet_regiis.exe -pef “connectionStrings” C:\Projects\DemoApplication

    -pef indicates that the application is built as File System website.  The second argument is the name of configuration section needs to be encrypted. Third argument is the physical path where the web.config file is located.

   If you are using IIS base web site the command will be,

   aspnet_regiis.exe -pe “connectionStrings” -app “/DemoApplication”

 -pe indicates that the application is built as IIS based site. The second argument is the name of configuration section needs to be encrypted. Third argument “-app” indicates virtual directory and last argument is the name of virtual directory where application is deployed.   

   If everything goes well you will receive a message “Encrypting configuration section…Succeeded!”

  Open your web.config file and you can see that connection string is encrypted,

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
	<EncryptedData Type=""
   		<EncryptionMethod Algorithm="" />		
		<KeyInfo xmlns=""> 
			<EncryptedKey xmlns="">
				<EncryptionMethod Algorithm="" />
				<KeyInfo xmlns="">
					<KeyName>Rsa Key</KeyName>		

Fig – (2) Encrypted connection string section


       You do not have to write any code to decrypt this connection string in your application, dotnet automatically decrypts it. So if you write following code you can see plaintext connection string.



    Now to decrypt the configuration section in web.config file use following command,

For File System Application,

aspnet_regiis.exe -pdf “connectionStrings” C:\Projects\DemoApplication

For IIS based Application

aspnet_regiis.exe -pd “connectionStrings” -app “/DemoApplication”


    If you want to encrypt any nested section in web.config file like <pages> element within <system.web> you need to write full section name as shown below,

aspnet_regiis.exe -pef “system.web/Pages” C:\Projects\DemoApplication

     You can encrypt all the sections of web.config file except following using the method I displayed in this article,


   To encrypt these section you needed to use Aspnet_setreg.exe tool.  For more detail about Aspnet_setreg.exe tool search Microsoft Knowledge Base article 329290, How to use the ASP.NET utility to encrypt credentials and session state connection strings.



Posted on Wednesday, June 8, 2011 2:07 PM , security , Just to remember | Back to top

Comments on this post: How to Encrypt connection string in web.config

# re: How to Encrypt connection string in web.config
Requesting Gravatar...
Must be very good to work in a company like this one. I wish all employers are like them. Putting fun into business is a unique but effective way to motivate workers. - Joe Zanotti
Left by Joe Zanotti on Jan 24, 2012 5:45 AM

# re: How to Encrypt connection string in web.config
Requesting Gravatar...
Good article and more usefull for freshers where they can learn such security tips for simple thing from comfiguration files.
Left by Suresh on May 15, 2012 12:51 PM

Your comment:
 (will show your gravatar)

Copyright © Jeroen Bourdeaud'hui | Powered by: