Storing and Reading Base64 Encoded Connection String in Web.Config
Introduction
Many people store database connection string in web.config file. However,
web.config file being an XML file, the data stored there is in clear text
format. This is especially important for connection strings because anybody can
easily see your database details including user id and password. In this article
we will see how you can encrypt values stored in web.config using Base64
encoding and later on decrypt them in your code. Note that Base64 encoding is
not a secure algorithm but it is a quick and easy way to hide the connection
string details from casual readers.
Storing custom values in web.config
You store custom configuration values in web.config using <appSettings>
section. The section looks like this:
<appSettings>
<add key="connectionstring"
value="data source=.\vsdotnet;initial
catalog=Northwind;user id=sa;password=mypassword"/>
</appSettings>
In short you store key-value pairs inside the <appSettings> section.
Encrypting connection string
In order to encrypt above connection string we will be using System.Convert
class. We will build a small console application that allows us to pass plain
connection string as command line argument and then displays encrypted version
on the console.
The code looks like this:
Public Shared Sub Main(args() As String)
Dim data() As Byte = System.Text.ASCIIEncoding.ASCII.GetBytes(args(0))
Dim str As String = Convert.ToBase64String(data)
Console.WriteLine(str)
End Sub
Here, we are using System.Text.ASCIIEncoding.ASCII class to convert the
connection string to an array of bytes. This is necessary because the Convert
class function ToBase64String() expects array of bytes and then returns Base64
encoded version of it.
You can invoke above application (I created it as Base64Encrypter.exe) at command prompt like this:
Base64Encrypter.exe "data source=.\vsdotnet;initial catalog=Northwind;user
id=sa;password=mypassword"
The output will be:
ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIGNhdGFsb2c9Tm9ydGh3aW5kO3VzZXIgaWQ9c2E7
cGFzc3dvcmQ9bXlwYXNzd29yZA==
You can now copy-paste this encoded version of the connection string in the
web.config. The new appSettings section will look like this:
<appSettings>
<add key="connectionstring"
value="ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIGNhdGFsb2c9Tm9ydGh3aW5kO3VzZXIgaWQ9c2E7
cGFzc3dvcmQ9bXlwYXNzd29yZA=="/>
</appSettings>
Reading the encrypted connection string back
Now, let us see how we can read the encrypted connection string and decrypt
it so that we can use it further.
Dim data() As Byte = Convert.FromBase64String
(ConfigurationSettings.AppSettings("connectionstring"))
str = System.Text.ASCIIEncoding.ASCII.GetString(data)
Here, we again used the Convert class and called its FromBase64String
function. This function accepts Base64 encoded string and returns a byte array.
In order to retrieve the appSetting value we used ConfigurationSettings class as
shown above. Finally, we used ASCII class again to convert the byte array to a
string.
Summary
In this article we saw how to encrypt and decrypt your web.config values
using Base64 encoding. Note that Base64 encoding is NOT a secure algorithm but
it hides the connection string details from causal readers. You can use some
stronger cryptographic algorithm if you wish.