How to Encrypt and Decrypt Connection Strings and Other Configuration Information in ASP.NET 6.0

encrypting-connection-string-asp-net-core-6.0

One of the various ways application configuration can be performed using configuration providers in ASP.NET Core is by using appsettings.json file, which allows developers to read configuration data from key-value pairs.

Introduction

Configuration information for ASP.NET Core applications is commonly stored in a JSON format which is later read during runtime.

Some of this information is sensitive and may warrant protection. By default, the appsettings.json file will not be served to a Web site visitor, but an administrator or a hacker may gain access to the Web server's file system and view the contents of the file. 

In this tutorial, we will learn how to protect sensitive information by encrypting and decrypting the values of the JSON file.

The AppSettings File

Below is the structure of the appsettings.js file that we will be working with throughout this tutorial. The values are all in plain text, our task will be to encrypt the connection string and other values - SMTPSettings and we will later decrypt them at runtime.

encrypting-connection-string-asp-net-core-6.0-app-settings-json

Creating the Encryption Method

Let's start by creating the encryption method we will be used to encrypt and decrypt information within our app. The encryption algorithm will be AES. Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S National Institute of Standards and Technology (NIST) in 2001. AES is widely used today as it is much stronger than DES and triple DES despite being harder to implement. You can read more about AES here, here, and here.

Create a class name AESService and modify it like below:

The AppSettings Static Method

Our next task is to create a static class where we will retrieve the settings values and then decrypt them before returning them for use. In this method, we will be injecting IConfiguration Interface. If you want to know how to inject IConfiguration Interface in a static class then I have an article that explains this here.

Create a class named AppSettings and modify it like this:


As you can see, we are calling the AESService decrypt method from our class. Now we are ready to encrypt the values in appsettings.js. You can encrypt the connection string like so:

var conString = AESService.Encrypt("Server=tcp:localhost,1433;Initial Catalog=master;User ID=sa;Password=Password12!");

After encrypting the connection string, SMTP username, and password, the appsettings.json file should look like this:

encrypting-connection-string-asp-net-core-6.0-app-settings-json-encrypted


And now we can get the decrypted value by calling the AppSettings.Get method. Let's say we want to get the SMTP username, we will call it like this:

encrypt-appsettings-json-net-6-0



And that's it! I hope this article has helped someone.

No comments:

Powered by Blogger.