How to encrypt connection string in Web.config file

1. Run the ASP.NET IIS registration tool (aspnet_regiis.exe). The following example shows how to encrypt the connectionStrings section of the Web.config file for an application named SampleApplication:

aspnet_regiis -pe “connectionStrings” -app “/SampleApplication”

2. Determine the user account or identity under which ASP.NET runs by retrieving the current WindowsIdentity name:

<%@ Page Language=”C#” %>
<%
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
%>

3. Grant the NETWORK SERVICE account access to the machine-level “NetFrameworkConfigurationKey” RSA key container:

aspnet_regiis -pa “NetFrameworkConfigurationKey” “NT AUTHORITY\NETWORK SERVICE”

4. Decrypt the connectionStrings element of ASP.NET application SampleApplication:

aspnet_regiis -pd “connectionStrings” -app “/SampleApplication”

You should take in mind that by default:

  • on Windows Server 2008, the identity under which the application runs is the APPLICATION POOL account.
  • on Windows Server 2003, the identity under which the application runs is the NETWORK SERVICE account.
  • On other versions of Windows, ASP.NET runs under the local ASPNET account.