0

Our requirement is to not check-in code to TFS that includes the username and password for production servers. But, we would still like to use the auto-build feature of TFS to make production deployments. For various reasons, we do not want to encrypt the appSettings in the web.config. Is it possible to put the passwords into the source code directly and to encrypt that single page of source, then check that page into TFS, and then auto-build and deploy an ASP.Net MVC website? Also, we are open to other ideas.

I should also add the username and password are for SAP. Database connection strings are already encrypted inside the connectionStrings block.

Also, would it be smarter to put the username and passwords into an XML file and encrypt that using asymmetric keys? https://msdn.microsoft.com/en-us/library/ms229746.aspx.

ADH
  • 2,971
  • 6
  • 34
  • 53
  • Maybe you can avoid username/password credentials in the first place? What are they used for (database, filesystem, ...)? – Christian.K Jul 22 '15 at 10:13
  • The username and password are for SAP. Database connection strings are already encrypted inside the connectionStrings block. How could we avoid using usernames and passwords? – ADH Jul 22 '15 at 10:14
  • If you haven't already, you could check if SAP supports "Integrated Security", like SQL Server does. – Christian.K Jul 22 '15 at 10:15
  • Some search on google results are:[Password storage in SC](http://stackoverflow.com/questions/559611/password-storage-in-source-control), [Should config values...](http://stackoverflow.com/questions/4243174/should-server-database-config-files-including-passwords-be-stored-in-source-co), [similar question](http://stackoverflow.com/questions/15520310/best-practices-for-storing-sensitive-information-in-source-code) – Beytan Kurt Jul 22 '15 at 11:59
  • How do you deploy the code? It would be better to add the sensitive information at deployment time rather than having it stored in source control. For example [Octopus Deploy provides several mechanisms](https://octopusdeploy.com/blog/new-in-2.0/sensitive-variables) to update config at deployment time – James Reed Jul 23 '15 at 23:18

0 Answers0