Encrypting connection strings across dev environment

31 Mar 2006 2:35 PM

Becky VanBruggen

I'm in the process of trying to create a template ASP.NET 2.0 web site for
all the developers in my group. I'd like to encrypt the connection strings
for commonly used databases and put them in every developer's machine.config
file. However, I'm not sure the best encryption to use.

1.) Do I use a machine-level container?
2.) Do I use a user-level container?
3.) Do I use no encryption in the dev environment and just implement that in
the production environment?
4.) Do I treat my developers like a web farm and deploy a single key to
everyone?

Thanks for your help.

31 Mar 2006 3:24 PM

Mitch Gallant

How many devs? Is small number consider having separate encryption
credentials for each dev (e.g. an RSA keypair for each).
- Mitch

Show quoteHide quote

"Becky VanBruggen" <BeckyVanBrug***@discussions.microsoft.com> wrote in message
news:67479583-0C7E-444A-A3F7-55B5045EB76C@microsoft.com...
> I'm in the process of trying to create a template ASP.NET 2.0 web site for
> all the developers in my group. I'd like to encrypt the connection strings
> for commonly used databases and put them in every developer's machine.config
> file. However, I'm not sure the best encryption to use.
>
> 1.) Do I use a machine-level container?
> 2.) Do I use a user-level container?
> 3.) Do I use no encryption in the dev environment and just implement that in
> the production environment?
> 4.) Do I treat my developers like a web farm and deploy a single key to
> everyone?
>
> Thanks for your help.

31 Mar 2006 3:40 PM

Becky VanBruggen

About 6-8 developers.

Thanks for your help.

Show quoteHide quote

"Mitch Gallant" wrote:

> How many devs? Is small number consider having separate encryption
> credentials for each dev (e.g. an RSA keypair for each).
> - Mitch
>
> "Becky VanBruggen" <BeckyVanBrug***@discussions.microsoft.com> wrote in message
> news:67479583-0C7E-444A-A3F7-55B5045EB76C@microsoft.com...
> > I'm in the process of trying to create a template ASP.NET 2.0 web site for
> > all the developers in my group. I'd like to encrypt the connection strings
> > for commonly used databases and put them in every developer's machine.config
> > file. However, I'm not sure the best encryption to use.
> >
> > 1.) Do I use a machine-level container?
> > 2.) Do I use a user-level container?
> > 3.) Do I use no encryption in the dev environment and just implement that in
> > the production environment?
> > 4.) Do I treat my developers like a web farm and deploy a single key to
> > everyone?
> >
> > Thanks for your help.
>
>
>

31 Mar 2006 3:33 PM

Dominick Baier [DevelopMentor]

i wouldn't go through the hassle of encrypting the config strings on the
dev machines -

devs are smart enough to call ConfigurationSection.Unprotect() :))

why do you want to protect the connection string? are there usernames and
password embedded? better go for windows integrated autentication - if there
are no secrets - then there is nothing to hide.

i would implement encryption of config files as part of your deployment process
to a production server

besides that - always use the machine container for ASP.NET

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

> I'm in the process of trying to create a template ASP.NET 2.0 web site
> for all the developers in my group. I'd like to encrypt the connection
> strings for commonly used databases and put them in every developer's
> machine.config file. However, I'm not sure the best encryption to use.
>
> 1.) Do I use a machine-level container?
> 2.) Do I use a user-level container?
> 3.) Do I use no encryption in the dev environment and just implement
> that in
> the production environment?
> 4.) Do I treat my developers like a web farm and deploy a single key
> to
> everyone?
> Thanks for your help.
>