TL;DR
Storing connection strings directly in your ASP.Net web.config file is a security risk, especially when hosting in the cloud. This guide shows you how to securely store them using environment variables and Azure Key Vault (or similar services) for better protection.
Securing Your Connection Strings
- Understand the Risk: Directly embedding connection strings in your web.config exposes sensitive database credentials if your server is compromised.
- Use Environment Variables: This is the simplest method for basic security.
- In your cloud hosting control panel (e.g., Azure App Service, AWS Elastic Beanstalk), add environment variables for each connection string you need. For example:
DB_CONNECTIONSTRING = "Data Source=yourserver;Initial Catalog=yourdatabase;Integrated Security=True;" - In your ASP.Net application, read these variables in your
Global.asax.csor equivalent startup file:string connectionString = Environment.GetEnvironmentVariable("DB_CONNECTIONSTRING"); - Update your code to use the variable instead of a hardcoded string.
- In your cloud hosting control panel (e.g., Azure App Service, AWS Elastic Beanstalk), add environment variables for each connection string you need. For example:
- Consider Azure Key Vault (or equivalent): For higher security, especially in production environments, use a dedicated secrets management service like Azure Key Vault. This provides encryption, access control, and auditing.
- Create an Azure Key Vault: In the Azure portal, create a new Key Vault instance.
- Store Your Connection Strings as Secrets: Add each connection string as a separate secret within your Key Vault. Give each secret a descriptive name (e.g., ‘MyDatabaseConnectionString’).
- Grant Access to Your Application: Assign the appropriate permissions to your application’s managed identity or service principal so it can read secrets from the Key Vault.
- Go to your Key Vault’s “Access policies” section.
- Add a policy allowing ‘Get’ and ‘List’ for your app’s service principal/managed identity.
- Retrieve Secrets in Your ASP.Net Application: Use the Azure Key Vault SDK to retrieve secrets at runtime.
using Azure.Identity; // Add this NuGet package using Azure.Security.KeyVault.Secrets; // ... inside your code... var keyVaultEndpoint = "https://your-key-vault-name.vault.azure.net/"; var clientSecretCredential = new ClientSecretCredential("your-tenant-id", "your-client-id", "your-client-secret"); // Or use Managed Identity var secretClient = new SecretClient(new Uri(keyVaultEndpoint), clientSecretCredential); KeyVaultSecret secret = await secretClient.GetSecretAsync("MyDatabaseConnectionString"); string connectionString = secret.Value;
- Web.config Transformation (Optional): If you need to maintain a web.config file for deployment purposes, use Web.config transformation to replace placeholder values with environment variables or Key Vault secrets during the build process.
- Create a separate configuration file (e.g.,
web.release.config) containing transformations:<connectionStrings> <add name="MyDatabase" connectionString="${DB_CONNECTIONSTRING}" /> </connectionStrings>
- Create a separate configuration file (e.g.,
- Regularly Rotate Secrets: Change your connection strings periodically to minimize the impact of potential breaches. Azure Key Vault can help automate this process.
- Monitor Access Logs: Regularly review access logs for both environment variables and Key Vault to detect any unauthorized attempts to retrieve sensitive information.