什么是加密ASP.NET connetionStrings正确的方法是什么？ [英] What is the proper method for encrypting ASP.NET connetionStrings?

问题描述

我一直在寻找通过ASP.NET MVC应用程序加密是connectionStrings（Web.config文件）（.NET 4.0），似乎一般有两种方法来实现它（的例如1 和相关的例如2 ）：

I've been looking through several examples of encrypting connectionStrings (Web.config) in an ASP.NET MVC application (.NET 4.0) and it seems that there are two general ways to achieve it (example 1 and the related example 2):

使用aspnet_regiis工具。

使用aspnet_regiis的主要问题是，我可以（我的开发机器上）本地运行的工具，但该网站实际上是在Arvixe，就像任何其他的虚拟主机托管：有没有办法在服务器上运行命令。据我了解，如果我加密我的机器上的Web.config是connectionStrings和发布的Web.config，那么他们不能在服务器上进行解密（请纠正我，如果这是错误的）。

The main issue with using aspnet_regiis is that I can run the tool locally (on my development machine), but the web site actually hosted on Arvixe and like any other web host: there is no way to run commands on the server. As far as I understand, if I encrypt the Web.config connectionStrings on my machine and publish the Web.config, then they can't be decrypted on the server (please correct me if this is wrong).

请注意：我只使用了 RSAProtectedConfigurationProvider ，但我假设 DataProtectionConfigurationProvider 将具有相同的问题，因为它是用户/机器特有的。

Note: I only used the RSAProtectedConfigurationProvider, but I assume that the DataProtectionConfigurationProvider will have the same issue since it's user/machine specific.

编程方式加密的连接字符串。

编程加密是connectionStrings也有一个缺点：每次我发布我的网站的Web.config更新（用未加密的是connectionStrings），这意味着在一段时间内的Web.config不会被加密的时间。即使我保证当有改动它的Web.config只公布，该问题可能会减少，但不会减轻。

Programmatically encrypting the connectionStrings also has a drawback: every time I publish my web site the Web.config is updated (with the unencrypted connectionStrings) and this means that for some period of time the Web.config will not be encrypted. Even if I ensure that the Web.config is only published when there are changes to it, the issue may be minimized but not mitigated.

我认为，使用静态类可以进一步帮助减少是connectionStrings未加密的时间。不幸的是，加密是connectionStrings要求应用程序的路径，似乎让应用程序路径中的唯一方法是从请求（ Request.ApplicationPath ），并在一个静态类有（显然）没有要求。

I thought that using a static class may further help reduce the time connectionStrings are not encrypted. Unfortunately, encrypting the connectionStrings requires the application path and it seems that the only way to get the app path is from the request (Request.ApplicationPath) and in a static class there is (obviously) no request.

private void ProtectSection(string sectionName,
                                   string provider)
{
    Configuration config =
        WebConfigurationManager.
            OpenWebConfiguration(Request.ApplicationPath);

    ConfigurationSection section =
                 config.GetSection(sectionName);

    if (section != null &&
              !section.SectionInformation.IsProtected)
    {
        section.SectionInformation.ProtectSection(provider);
        config.Save();
    }
}

private void UnProtectSection(string sectionName)
{
    Configuration config =
        WebConfigurationManager.
            OpenWebConfiguration(Request.ApplicationPath);

    ConfigurationSection section =
              config.GetSection(sectionName);

    if (section != null &&
          section.SectionInformation.IsProtected)
    {
        section.SectionInformation.UnprotectSection();
        config.Save();
    }
}

UnProtectSection("appSettings");

ProtectSection("appSettings",
    "DataProtectionConfigurationProvider");

什么是加密的connectionString和消除/减少的Web.config部分未加密的时间量的正确方法？你写某种类型的，如果周围的部分是加密该检查并只使用包装的 OpenWebConfiguration 方法的包装呢？用户可以访问的您的网站的任何的网页，那么你如何拖延加密，直到他们要求从数据库中的一些数据还是你检查它是否是一有机会加密？

What's the proper way to encrypt the connectionString and eliminate/reduce the amount of time the Web.config section is not encrypted? Do you write some type of a wrapper around the OpenWebConfiguration method which check if the section is encrypted and only use that wrapper? Users may access any page on your web site, so how do you delay the encryption until they request some data from a database or do you check if it's encrypted at the first opportunity?

推荐答案

与共享的主机托管服务提供商最简单的方法很可能将是写自己的加密/解密程序和存储连接字符串无论是在应用程序设置，自定义XML文件，或文本文件，让你有完全控制的加密/解密过程...

The easiest way with the shared hoster is probably going to be to write your own encrypt/decrypt utility and store the connection string either in app settings, custom XML file, or text file, so that you have full control over the encryption/decryption process...

根据您的更新，你就可以用当前请求：

Per your update, you can get the current request via:

new HttpRequestWrapper(System.Web.HttpContext.Current.Request);

心连心。

这篇关于什么是加密ASP.NET connetionStrings正确的方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！